Skip to main content
Cisco Meraki

Advanced Malware Protection (AMP)

Overview

Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from Sourcefire®, integrated into MX Security Appliances.

Important updates required for MX to AMP and Threat Grid communications were implemented. To ensure that MX’s AMP and Threat Grid services continue to function as expected, please upgrade to these firmware versions or higher.

  • MX 14.56 and up

  • MX 15.43 and up

  • MX 16.7 and up

Prior to the below dates:

  • AMP enabled MX devices will need to be upgraded prior to Dec 1, 2021.
  • Threat Grid enabled MX devices will need to be upgraded prior to Sept 2022. 

Note: If AMP enabled MX devices are not upgraded prior to the above mentioned dates, AMP will fail to connect to AMP Cloud and result in a fail closed behavior. This will cause all AMP inspected file downloads to be blocked unless AMP is manually disabled.

Note: The Threat Grid firmware upgrade date has now been extended to Sept 2022 instead of the initial communicated date Oct 1, 2021.

Key Concepts

It is important to understand several key concepts with AMP:

Disposition

A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.

There are three file dispositions:

  • Clean - The file is known to be good.
  • Malicious - The file is known to be harmful.
  • Unknown - There is insufficient data to classify the file as clean or malicious.

Retrospection

Sometimes files will change disposition, based on new threat intelligence gained by the AMP cloud. This reclassification can also generate retrospective alerts and notifications.

AMP Integration Overview

The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.

 

The supported file types for inspection are:

  • MS OLE2 (.doc, .xls, .ppt)
  • MS Cabinet (Microsoft compression type)
  • MS EXE (Microsoft executable)
  • ELF (Linux executable)
  • Mach-O/Unibin (OSX executable)
  • DMG (Apple Disk Image)
  • Java (class/bytecode, jar, serialization)
  • PDF
  • ZIP (regular and spanned)*
  • EICAR (standardized test file)
  • SWF (shockwave flash 6, 13, and uncompressed)

 

* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc.).

 

Configuration

You can enable AMP by setting the Mode to Enabled under the Advanced Malware Protection (AMP) section in Security & SD-WAN > Configure > Threat protection.

Monitoring

Monitoring of AMP events can be done using the Security Center page under Security & SD-WAN > Monitor > Security center.

Please see this article for more information on the Security Center.

Alerting

Email alerts can be configured for retrospective malware events in the Network-wide > Configure > Alerts page. To enable these, check the box for Malware is downloaded in the Alerts > Alerts Settings > Security appliance section. This alert will email the configured recipients when a retrospective AMP alert occurs, notifying the administrator that a file that has been downloaded now has a malicious disposition.