Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 11

48. Lecture-48:Introduction and Concept of Malware & File Policy.

Next policy is malware and file policy. Keep in mind it’s been combined. So basically it’s two policy which has been combined and worked together. Malware. We know Malaysia software, it’s an umbrella term and we discuss in many courses and also in this course I think. So first or second slide we discuss what is malware. So malware is umbrella term which many things are coming under this one? Spyware, viruses, worms, Trojans, all those things are coming botnet, all those things coming under malware. Okay? And the other one is file policy. File policy like FTP file, Microsoft file, either Excel file, Word file, these are called file. So we can use this combined policy to achieve two main things file control. Maybe you don’t want that somebody send either download exe file. So then you need a file policy. Maybe that file is clean up. Not saying that the file is infected in some organization they say I don’t need that. Some user can download exe file. It may be clean, it may not be clean. But we want control of file in the network. Then you need a file policy to control this file can be downloaded and this can be uploaded, this cannot be download and this cannot be upload. So for that purpose, what you can do, you need a file policy. But the second part of this policy is malware. Maybe you want to check any file which has been download either upload for malware. And I told you, marvel can be a virus is warm, trojan, so many things botnet, so many things are coming under this malware. So that nobody can go to website and download such file either. Nobody can upload something which is malicious to any website. So for that purpose then we need a malware policy.

And policy we already know what is policy. It’s a rule and regulation which per your company, you apply to your firewall. Now, how they know that this file is malicious, so they are using advanced malware protection again, this will we will do in this course. The last lecture in more detail. But advanced malware protection is a cloud based solution by Cisco. Same like a security intelligence. So they will send a hash file again, we know hash how to generate, I told you from MD, five hash. Every file has a unique hash, same like our fingerprints. Even a shortcut has a unique hash value. So when they generate a hash value of every file, they send that hash rather than to send the file, they send the hash which is a small file, a number you already know. So they will check with the advanced malware protection and Cisco website cloud base that can you check this hashmage to any of your database? It’s like a DNA, it’s like a blood, it’s like a fingerprints which can be checked in the database. If it is mech, they will say okay, this is a month fingerprints because we have his detail in database. So advanced Malware protection keep all the malware records. Their hash is video. So whenever file is downloading either uploading so file policy and Malware policy will create a hash. They will send that hash to Cisco. Amp amp is nothing but advanced malware protection system. They will check that check. Can you check this one? Like when you go to airport, they are checking on the airport. That okay. Let me check your data into a database. It’s okay. Then you are allowed either you can download and this way they will detect the Malaysia thing. So nobody can download either upload such thing. So Malware is doing this part and the other part is file control. But only one thing is required.

The management interface need to be reachable to internet. Then you can check. Otherwise they will check in local database. They have a local database as well, which is limited. So it’s better that your firewall management is connected to internet so that you can check with your MP. Second, you need a license. By the way, two license thread license and Malware license has to be activated. But because we are using evaluation license so I believe we already have if I go to my device management and if I check my device so there is maybe it’s not visible but I think so how can we see if it is? So you can see there is Malware and Thread as well. So both we have the license. License is not an issue. And also you can check from here when we go to smart licenses and see which license is activated. So thread license is activated for this device. Okay. And also Malware license is activated. We need these two license to achieve these two things. Malware and file policy. So it’s also required which we have. If it is not, then you need to buy extra license from Cisco. So file policy, we can monitor activities, we can audit which thing is going, which going is coming, which is uploading downloading. And we can restrict the file that nobody can download PDF file, nobody can upload exe file, nobody can download XD file. And the other side is Malware. Malware will check every file for viruses, malware exploit kit and any other dangers either dangerous thing. It can be anything malicious.

So these two things is call Malware and File policy. Now coming to option, which option and which action they can take. Same like other policies. So I need to show you first from here. So let’s go to policy. And here is Malware and file policy. So let me click on Malware and file policy. By default there is no policy. You need to create a new one. So I say malware file policy. I give the same name and description if you want to give them. So again it’s open. But I need to create a rule. So click on rule and here is the action but before action, let’s say that option can be clean, unknown, malware and unavailable, I think. So there is one. If I choose this one here, there is malware, unknown, clean and custom. You can store these one as well. So clean means that the file is clean, there is no malware, no malicious, no nothing. And it’s clear, this person is clear. You, you can go, you can download and then you can upload. Second thing is unknown. Unknown means that Amp don’t know the hashes. Maybe in his database the detail is not there. Maybe when I send my fingerprints to the country, which I’m leaving, they say that no, his detail is not on database. So maybe this is their mistake either. Maybe I’m not registered and maybe I was out of country for a long time, so my detail is not there. And maybe I am a bad person. It can be a zero day attack. Zero day.

Maybe somebody just created a new virus which is not in the database. This is called zero day exploit. So if it is a noun, so there are two possibilities. Amp don’t know about that file, it can be any other reason. And either somebody created that file just now, which is a virus, and MP don’t know about that new virus. So then this is called unknown. Third one is Malware. It means MP say this is a malicious, this may be a virus, this may be a warm, this can be anything, anything malicious. It means they know them and they declare it as a malware. And the last thing is unavailable. Unavailable means maybe your internet is not reachable to MP, maybe Amp is down, maybe your internet is slow. It can be many reason which you are has not reaching to there to MP to get the detail. Maybe in the middle, maybe your server is down, maybe your internet is slow, maybe you don’t have internet on your management interface to reach to Amp and so many other reason, then this is called unavailable. Okay, so these options are clear to you now, going before the other option to discuss, you need to know Amp. Just in shortcut, in detail, we will discuss later in the course. Amp means advanced malware protection. And the name suggests it’s a malware protection solution. It’s a defense system to protect your network, your end point, your next generation. Your IPS is integrated in everything.

And this is a Cisco solution. And it’s monitoring the file all the time. And CCNP security we also discuss in detail. It’s providing you visibility, control, protection, everything against any thread and what they have done. Cisco integrate this to endpoint. Also this is the next generation. And also NWS and Es means WSF and also an email security appliance and web security applies and also an FTD. We have this solution, so it’s getting everything from cloud and also we have some of the things in our local, in our firewall as well. But amp is also available for endpoint solution as well. So this is called amp. I just take this slide from CCNP. There is in more detail now coming to the detail window. Because when you open this window to apply file policy and malware so you will see a lot of things and maybe you will worry that what the hell is this? So basically there is nothing.

The first thing is application protocol on which protocol you want to apply. This file policy and this malware policy it’s any http SMTP im pop three and FTP and SMB any means any for our http and https you need to choose http for email you need to choose the three and FTP you need to choose the last and after the sharing one SMB. Also you can but I will say any. So there’s the protocol which we can check. So you can restrict for specific protocol as well. But it’s better to leave them as a any then direction. Direction means you want to restrict upload either downloads. It’s also possible to create different rule for upload different and for download different. It’s also possible again I believe is in any further purpose. But in real world you need to put restriction for upload differently and download differently. Then there is a file type category. These are different file and how many files are inside. Like office document. In office we have document, we have access file file and we have so many files. If you need a specific rule for suppose which file mail either Microsoft X is just add this one. Here you can delete if you need all Office document 18, then add sorry, if you click this one and it will add all Office document, it means an Office document 18.

All these are included. So you can create a rule for specific one file type either file category, whole category and for multiple as well. Archive is the zip and those things archive all those things multimedia. So multimedia file, executable, exe and all those file PDF file and then encoding graphics systems and all those related file you can choose and you can add them all either specific file if you need. So you need to choose from here and from here you can delete them and here you can specifically add and you can delete them as well. So this is file category. Now coming to the action part. These are the action which you can take. Detectf file block, file malware, cloud lookup and block malware. These are the action which you can take. So this part is clear to you. Application protocol or tool. Which application protocol you want to apply this policy and which direction you want to apply this policy. Which type you want to apply this policy? MP3 either executable, exe, PDF, document word you can put as a category, you can put as a single file. And these are the action which we are talking about. Now, one of them is block file. This one is easy to do it first. You just want to block the file. It may be infected, it may not be. Infected. It can be a normal file. But you don’t want to let somebody download either upload that file. So this is called file control. Maybe in your organization.

Your manager said that block any exe file. So that nobody can download. So you will say that somebody sometime needs the software to download. And it’s good software. We know where is the website. You say no, this is our policy. Nobody can download exifile. So it means the exifile. Is clean. But you want to put restriction on file. So this is file control rule. There is no need of Malaysia or nothing there. So this is called block file. You don’t want that file. That’s it and reset. Connection if you uncheck, so it will stay away. Block. If you say reset connection. So it will reset the connection. TCP will be reset. We already know this one. So this action is just to control the file? It can be infected. It cannot be. In most cases, it not. But you want a control. Okay. Done. This one is okay. Second is block malware. If we go, there is block malware. Block malware means check for any file. Which someone is downloading either uploading because we say direction any if there is a malware, there is a virus, spyware, botnet, anything malicious, block straight away because this file is infected, it can be allowed. Maybe that file you already allowed but it’s infected. There is a virus. They will block them. So this section will do. They will only block those file which is infected which there is something malicious. You get my point? What I’m saying? Forget about these options we will discuss a bit later now coming to the third one is Detect File. Here is Detect file. Detect File means this is also related to file control because this policy is for two different things. They will just deduct them.

They will just generate log. But they will not stop them to download or upload. Even if it is infected, it will not stop them. Because the depth file means just check the logs. For file, which file is upload, which file is download. But do nothing. Just generate a logs which we will see later in the lab. Done. So it will generate log, but still it will allow. The file will go. And the last one is Malware cloud. Lookup, there is Malware cloud. Lookup. This was block malware. This one is Malware cloud. Lookup means I just told you. Malware cloud. Lookup. Cloud means amp cloud. So if you choose this one. It means that send the hash to Amp Cloud and check this person. Either this file either this thing is infected or not. If there is a virus, just generate logs so that we know this file was infected, but don’t block them. So Malware cloud Lookup will not block anything again. It will just send the hash to cloud and will get the report. And we’ll give you the report that the file which you download is infected. It is wireless there, there is a malware, there is anything. They will just tell you this thing, that’s it. But it will not block you. So it means if we check overall, so this will control the file and this will control the malware. It will stop the file and this will stop the malware. This will will check the detail and generate log and this will generate the file detail logs and this will generate the malware detail logs.

So these two combinedly work and these two are combinedly work. So if we see together two option is for file control and two option is for the malware control. And overall we call them malware and file policy. Good. So these were the action. Now coming to the other stuff. When you select malware cloud lookup, so there is spare analysis, dynamic analysis, capacity handling and local malware. But if I choose detect so nothing is there. And if I choose block Suarez, it is there. And if we choose block malware so again all these things are coming. What is this? So let’s go there. Forget about this one, let’s go there. Then spare analysis. What is pair of analysis? You know, this is specially for XD File. Because XD File in the network is very dangerous. So every exe file is a signature. So if you select spare analysis. So when somebody is accessing XD file uploading or downloading, they will generate a signature and will send it to cloud amp cloud and they will check through that signature. Every exifile is a different signature. If there is any malicious, they will detect and they will report you. So this is a special type of option for XD file. Done. This one is done. Then dynamic analysis. What is dynamic analysis? Dynamic analyses work with this malware policy. If there is a new file either unknown or take either unknown file which is created, maybe just now, what they will do?

They will send the file hash to the cloud and check. If there is no record, they will keep the file, they will send box them, they will what is called when you visit nowadays, when you visit from one country to another country, they say you need to spend two week in a hotel. I don’t know, I forgot the name Karanthin or something. So it’s dynamic analysis, the same thing. So when they know unknown file, so they will check and they will keep them for a while for testing purpose. And then they will release if it is clean. Okay, this one is done. Capacity handling means that maybe the cloud is not reachable. Maybe you send the hedge, but for some reason so capacity handling, if you enable this feature, this option. So they will store the file for later processing and whenever the MP is allowed, then they will send the file that okay, now we can send them again. So it’s a temporary solution. So they will keep the file. Okay, so that option is this one local Marvel analysis. If amp is not reachable for some reason your cloud solution is not reachable. So there is a local file as well, local signature as well. At least they will check locally. So you can check locally as well. And the last thing is reset connection. It will reset TCP connection. Okay. And store file means you can keep locally these file in your firewall, which will take much space, so no need to keep them if you want to keep for audit purpose or for some other for testing purpose. So you can keep all these for malware file unknown which is not recognized and clean file, it’s up to you either any custom which is there.

So this was the window related to malware. Okay. And so far I’ve already told you to store them for checking or something. So this was a theoretical part. Okay, now coming to this table, I forgot this table. This table is related to these action. It’s changing. If I say deduct file, so what happened? Nothing option is available, only store file. So if I go to detect, where is detect? Here is if you choose deduct file, so there will be no spare analysis available, no dynamic analysis available, no capacity handle will be available, no local Marvel analysis will be available, no reset connection, only store file will be available. Yes, and that’s why when I choose stack file, only store file is available. If I say block file, so only reset connection and store is available. So where is block? So there is block. So when I choose block, so no spare analysis available, no dynamic, no capacity, no local, only reset connection and store is available. Done. And same way if I choose malware cloud lookup, then a lot of option is available. So where is block? This one cloud. So I can see Sparrow, I can see dynamic, I can see capacity handling and I can see local Marvel, but no reset connection. And yes, store file. That’s it. And the last one is block malware. So again all option with reset connection and everything is available. So that’s why this table is here. If you want to see that, which thing will be available with which action. If I take that action. So this was file and malware protection theory.

• Category: Uncategorized