My Cybersecurity Journal: Configuring Cisco FMC File Type and Malware Protection

The Firepower system applies several methods of file inspection and analysis to determine whether a file contains malware. Depending on the options you enable in a file rule, the system inspects files using the following tools, in order:

1. Spero Analysis and AMP Cloud Lookup
2. Local Malware Analysis
3. Dynamic Analysis

File Rule Configuration Guidelines and Limitations

A rule configured to block files in a passive deployment does not block matching files. Because the connection continues to transmit the file, if you configure the rule to log the beginning of the connection, you may see multiple events logged for this connection.
A policy can include multiple rules. When you create the rules, ensure that no rule is "shadowed" by a previous rule.
The file types supported for dynamic analysis are a subset of the file types supported for other types of analysis. To view the file types supported for each type of analysis, navigate to the file rule configuration page, select the Block Malware action, and select the checkboxes of interest.

To ensure that the system examines all file types, create separate rules (within the same policy) for dynamic analysis and for other types of analysis.
If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the Firepower Management Center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored.
Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.
If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured files for dynamic analysis. Doing so can negatively impact system performance.
You cannot perform malware analysis on all file types detected by the system. After you select values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the system constrains the list of file types.

File Detection Notes and Limitations

If a file matches a rule with an application protocol condition, file event generation occurs after the system successfully identifies a file’s application protocol. Unidentified files do not generate file events.
FTP transfers commands and data over different channels. In a passive or inline tap mode deployment, the traffic from an FTP data session and its control session may not be load-balanced to the same internal resource.
If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session exceeds 1024, file events from the session may not reflect the correct file names for files that were detected after the file name buffer filled.
When transmitting text-based files over SMTP, some mail clients convert newlines to the CRLF newline character standard. Since Mac-based hosts use the carriage return (CR) character and Unix/Linux-based hosts use the line feed (LF) character, newline conversion by the mail client can modify the size of the file. Note that some mail clients default to newline conversion when processing an unrecognizable file type.
To detect ISO files, set the "Limit the number of bytes inspected when doing file type detection" option to a value greater than 36870

File Blocking Notes and Limitations

If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be blocked by a Block Malware rule or the custom detection list. The system waits to block the file until the entire file has been received, as indicated by the end-of-file marker, and blocks the file after the marker is detected.
If the end-of-file marker for an FTP file transfer is transmitted separately from the final data segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but the file will actually completely transfer to disk.
File rules with Block Files and Block Malware actions block automatic resumption of file download via HTTP by blocking new sessions with the same file, URL, server, and client application detected for 24 hours after the initial file transfer attempt occurs.
In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble the traffic correctly and therefore will not block it or generate a file event.
If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with a Block Files rule, you may see a file on the destination host. However, the file is unusable because it is blocked after the download starts, resulting in an incomplete file transfer.
If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file transfer), the system does not inspect files transferred in an established TCP or SMB session started before you deploy an access control policy invoking the file policy so those files will not be detected or blocked.

File Policy General Guidelines and Limitations

You cannot use a file policy to inspect traffic handled by the access control default action.
For a new policy, the web interface indicates that the policy is not in use. If you are editing an in-use file policy, the web interface tells you how many access control policies use the file policy. In either case, you can click the text to jump to the Access Control Policies page.
For an access control policy using a file policy with Block Malware rules for FTP, if you set the default action to an intrusion policy with Drop when Inline disabled, the system generates events for detected files or malware matching the rules, but does not drop the files. To block FTP file transfers and use an intrusion policy as the default action for the access control policy where you select the file policy, you must select an intrusion policy with Drop when Inline enabled.
Based on your configuration, you can either inspect a file the first time the system detects it, and wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result.

Below are the File Policy Rules configured in my FMCv.

To create a File Policy, go to Policies > Malware & File.

Click New File Policy (or Add a new policy hyperlink).

Type a Name > click Save.

Under Rules tab > click Add Rule.

For Rule #1, we Block (with Reset Connection) the Download of MP3, Zipped and Executable files (.exe) using the HTTP or FTP protocol.

For Application Protocol > choose Any.

For Direction of Transfer > choose Download.

For Action > choose Block Files. The Reset Connection will be automatically selected (ticked).

Select the File Type Category or type/search the specific File Type > click Add to move under Selected File Categories and Types column on the right > Save.

You can optionally click Store files (for Sandbox/Malware Cloud analysis).

For Rule #2, we Block (with Reset Connection) the Upload of Any Word and PDF Documents that falls under the Category of Office Documents and PDF files using the HTTP protocol.

Click Save.

For Rule #3, we configure a File Policy Rule to Detect (for Logging) the Upload or Download of Any Files using Any transfer protocol.

Click All File Type Categories > Add > click Store files > Save.

Click Save (disk icon).

Apply the File Policy Rule under Access Control Policy (ACP), go to Policies > Access Control.

Click edit (pencil icon).

Apply the File Policy Rule to the ACP Rule which has an allow Any HTTP Rule (in this case Rule #10).

Modify the Allow HTTP Rule (LAB_WEB Rule 10) by going under the Inspection tab (for File Type Inspection policy).

Under the Applications tab > type/search for HTTP, HTTPS and FTP under Available Applications > select FTP (Control) and FTP Data > click Add to Rule to move to the Selected Applications and Filters column on the right.

Select the File Policy (LAB_FILE_POLICY) created earlier under File Policy > click Save.

Notice the File Policy for LAB_WEB Rule #10 is now highlighted (turned yellow).

Click Save and Deploy.

My HTTP File Policy test failed due to HTTPS encryption when I downloaded the test files from this link.

I did an individual test for each rule. This is an HTTP only (not HTTPS/SSL) Download for an Archive (.zip) file, which is an EICAR test file.

Notice the HTTP connection was reset.

You can verify FMC Event logs under Analysis > Connections > Events.

Notice the Reason File Block, which hit the File Type Policy Rule.

This is an HTTP Download for an Executable (.exe) test file.

Notice the file download Failed-Network error.

This is the HTTP Download for audio (.mp3) test file.

These were the FTP Download tests from a public FTP server.

This is the FTP download for a .zip file.

This is the FTP download for a .exe file.

You can verify FMC File Events under Analysis > Files > File Events.

You can verify FMC Captured Files under Analysis > Files > Captured Files.

This is the HTTP Upload test on a public HTTP server for Document (MS Word).

Notice the HTTP connection was blocked (reset) and uploading process was terminated.

This is the HTTP Upload test for a PDF file.

Click Table View of File Events to view more details.

Notice the SHA-256, Type, Category and Name of File Policy for the downloaded and uploaded files.

You'll need the FMC Advanced Malware Protocol (AMP) License in order to perform Malware Block and Cloud Lookup.

Add a new File Policy specifically for Malware type under Policies > Access Control > Malware & File > click edit (pencil icon on the right)

Click Add Rule.

Select Application Protocol:Any > Direction of Transfer: Download > Action: Block Malware.

The options for Spero Analysis for MSEXE, Dynamic Analysis and Reset Connection will be automatically selected (ticked). Spero analysis supplements analysis of SHA-256 hash values, allowing for more complete identification of malware in executable files

You also have the options to Store Files for Malware, Unknown Clean and Custom Malware types.

Select (tick) the File Type Categories (in this case Archive and Executables) > click Add > Save.

I got a Warning (1 and 2) since there's an overlap between the two File Type Rules.

I removed Rules #1 (MP3, ZIP and MSEXE) and 3 (Detect Files) for testing Malware Detection and Blocking.

Click Save and Deploy.

I tried Downloading EXE and ZIP EICAR test files from this link.

I tried to Download a 16-bit EXE test Malware file (via http) and got a connection reset on my web browser.

You can view the FMC Malware File Events under Analysis > Files > File Events.

Notice the Disposition column detected a Malware with a Category of Executables.

Click Table View of File Events.

Notice the Action of Malware Block and Malware Cloud Lookup. The PC icon for Receiving IP (192.168.1.130), which is my Windows 7 VM, had an amber (light orange) color. Click on the PC icon.

Notice the File Name of the Malware (tvirus.exe), had a SHA-256 signature and has a Threat Score of Very High.

The host displayed an Indication of Compromise (IOC), which means the host detected a Malware transfer.

You can view the history and trajectory on how the Malware spread in the network under Analysis > Files > Network File Trajectory.

Click on the File SHA-256.

You can view Malware Event Logs under Analysis > Files > Malware Events.

Click on Table View of Malware Events to get more details.

I tried to Download a 16-bit ZIP test Malware file (http) but got a connection reset error.

To view Malware Event Logs, go to Analysis > Files > Malware Events.

Notice the ZIP under File Type and it detected a Ransomware.

Click Table View of Malware Events to view more details.

Notice the File Type is now ZIP.

To view the history and trajectory on how the Malware spread in the network under Analysis > Files > Network File Trajectory View. Click on File SHA256 for tv_exe.zip