Home > Security Appliances > Content Filtering and Threat Protection > Advanced Malware Protection (AMP)

Advanced Malware Protection (AMP)

Overview

Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from SourceFIRE, integrated into MX Security Appliances.

AMP is available only in the Advanced Security Edition.

Key Concepts

It is important to understand several key concepts with AMP:

Disposition

A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.

There are three file dispositions:

  • Clean - The file is known to be good.
  • Malicious - The file is known to be harmful.
  • Unknown - There is insufficient data to classify the file as clean or malicious.

Retrospection

Some times files will change disposition, based on new threat intelligence gained by the AMP cloud. This re-classification can also generate retrospective alerts and notifications.

AMP Integration Overview

The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.

 

The supported file types for inspection are:

  • MS OLE2 (.doc, .xls, .ppt)
  • MS Cabinet (Microsoft compression type)
  • MS EXE
  • ELF (Linux executable)
  • Mach-O/Unibin (OSX executable)
  • Java (class/bytecode, jar, serialization)
  • PDF
  • ZIP (regular and spanned)*
  • EICAR (standardized test file)
  • SWF (shockwave flash 6, 13, and uncompressed)

 

* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc...).

Configuration

You can enable AMP by setting the Scanning option to Enabled under the Malware detection section in Security Appliance > Configure > Threat protection.

Monitoring

Monitoring of AMP events can be done using the Security Center page under Security Appliance > Monitor > Security Center.

Please see this article for more information on the Security Center.

Alerting

E-mail alerts can be configured for retrospective malware events in the Network-wide > Configure > General page. To enable these, check the box for Malware is downloaded in the Network Alerts section. This alert will email the configured recipients when a retrospective AMP alert occurs, notifying the administrator that a file that has been downloaded now has a malicious disposition. 

You must to post a comment.
Last modified
16:23, 8 Feb 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 4797

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case