Solved: Cisco Firepower Malware signature

RyanHsiao99746 · ‎05-11-2022

Hi there,

Is Cisco Firepower have a Database for malware signature?

When i check TECSEC-2599.pdf p77, the information is: FTD will first calculation the sha, and than send to FMC and FMC will check the Reputation from AMP Cloud.

But i got another information by other SE, they said there is a database include Malware information on VDB.

After i check the VDB infomation :According the information on Cisco Vulnerability Database (VDB) Release Notes.

It include the

Application Protocol Detectors

Client Detectors

Web Application Detectors

FireSIGHT Detector Updates

Operating System Fingerprint Details

Operating System and Hardware Fingerprint Details

Vulnerability References

File Type Detectors

Didn't see anything similar like malware database.

Is there any malware database information in VDB or anywhere on Firepower?

Thanks

Sheraz.Salim · ‎05-11-2022

Is your VDB is updated?

Integrating AMP for Network with AMP Threat
1- Files is downloaded through AMP for Network
2- AMP for Network calculates File hash (SHA256) and sends it to FMC for disposition lookup. Last packet is on hold by device till disposition is received.
3- FMC sends hash lookup to AMP CSI to identify hash disposition
4- CSI Cloud responds to the lookup with disposition “Unknown”
5- FMC records the disposition “Unknown” in File Trajectory
6- AMP for Network releases the last packet and submits a copy of the file to AMP Threat Grid for Dynamic Intelligence (Sandbox)
7- Threat Score (e.g. >=95) is calculated based on Behavioural Indicators and Threat Intelligence obtained by FMC polling
8- Subsequent downloads of the same file will be blocked by AMP for Network
9- AMP Solution also leverages CSI Cloud for Continuous Analysis and Retrospective Security.
10- Retrospective Call for a disposition change from Unknown to Malicious

however, to answer your question I do not think there is a database information avabilabe on firepower. all goes on cloud to check the SHA etc.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎05-11-2022

Is your VDB is updated?

Integrating AMP for Network with AMP Threat
1- Files is downloaded through AMP for Network
2- AMP for Network calculates File hash (SHA256) and sends it to FMC for disposition lookup. Last packet is on hold by device till disposition is received.
3- FMC sends hash lookup to AMP CSI to identify hash disposition
4- CSI Cloud responds to the lookup with disposition “Unknown”
5- FMC records the disposition “Unknown” in File Trajectory
6- AMP for Network releases the last packet and submits a copy of the file to AMP Threat Grid for Dynamic Intelligence (Sandbox)
7- Threat Score (e.g. >=95) is calculated based on Behavioural Indicators and Threat Intelligence obtained by FMC polling
8- Subsequent downloads of the same file will be blocked by AMP for Network
9- AMP Solution also leverages CSI Cloud for Continuous Analysis and Retrospective Security.
10- Retrospective Call for a disposition change from Unknown to Malicious

however, to answer your question I do not think there is a database information avabilabe on firepower. all goes on cloud to check the SHA etc.

please do not forget to rate.

Marvin Rhoads · ‎05-11-2022

As @Sheraz.Salim said - there's not a local Malware database.

The VDB is a separate database with the purpose of providing information about vulnerabilities to better inform IPS rule application and categorization of impact.

Anthael · ‎04-19-2024

Hi
Might be possible to update the signature for an offline device ?

Thanks by advance