Home > Security Appliances > Content Filtering and Threat Protection > Advanced Malware Protection (AMP)

Advanced Malware Protection (AMP)


Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from SourceFIRE, integrated into MX Security Appliances.

AMP is available only in the Advanced Security Edition.

Key Concepts

It is important to understand several key concepts with AMP:


A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.

There are three file dispositions:

  • Clean - The file is known to be good.
  • Malicious - The file is known to be harmful.
  • Unknown - There is insufficient data to classify the file as clean or malicious.


Some times files will change disposition, based on new threat intelligence gained by the AMP cloud. This re-classification can also generate retrospective alerts and notifications.

AMP Integration Overview

The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.


The supported file types for inspection are:

  • MS OLE2 (.doc, .xls, .ppt)
  • MS Cabinet (Microsoft compression type)
  • MS EXE
  • ELF (Linux executable)
  • Mach-O/Unibin (OSX executable)
  • Java (class/bytecode, jar, serialization)
  • PDF
  • ZIP (regular and spanned)*
  • EICAR (standardized test file)
  • SWF (shockwave flash 6, 13, and uncompressed)


* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc...).


You can enable AMP by setting the Scanning option to Enabled under the Malware detection section in Security Appliance > Configure > Threat protection.


Monitoring of AMP events can be done using the Security Center page under Security Appliance > Monitor > Security Center.

Please see this article for more information on the Security Center.


E-mail alerts can be configured for retrospective malware events in the Network-wide > Configure > Alerts page. To enable these, check the box for Malware is downloaded in the Network Alerts section. This alert will email the configured recipients when a retrospective AMP alert occurs, notifying the administrator that a file that has been downloaded now has a malicious disposition. 

You must to post a comment.
Last modified
14:54, 24 Apr 2017



This page has no classifications.

Article ID

ID: 4797

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community