Skip to main content
Cisco Meraki

Advanced Malware Protection (AMP)

Overview

Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from Sourcefire®, integrated into MX Security Appliances.

In firmware MX 14.56, MX 15.43 and MX 16.7, important changes required for MX to AMP and Threat Grid communications were implemented. Please upgrade to these firmware versions or higher prior to:

  • If AMP and Threat Grid are both enabled, please upgrade prior to Oct 2021.
  • If only AMP is enabled, please upgrade prior to Dec 2021.

Please note that if AMP enabled MX devices are not upgraded prior to the above mentioned dates, AMP will fail to connect to AMP Cloud and result in a fail closed behavior. This will cause all AMP inspected file downloads to be blocked unless AMP is manually disabled.

Key Concepts

It is important to understand several key concepts with AMP:

Disposition

A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.

There are three file dispositions:

  • Clean - The file is known to be good.
  • Malicious - The file is known to be harmful.
  • Unknown - There is insufficient data to classify the file as clean or malicious.

Retrospection

Sometimes files will change disposition, based on new threat intelligence gained by the AMP cloud. This reclassification can also generate retrospective alerts and notifications.

AMP Integration Overview

The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.

 

The supported file types for inspection are:

  • MS OLE2 (.doc, .xls, .ppt)
  • MS Cabinet (Microsoft compression type)
  • MS EXE (Microsoft executable)
  • ELF (Linux executable)
  • Mach-O/Unibin (OSX executable)
  • DMG (Apple Disk Image)
  • Java (class/bytecode, jar, serialization)
  • PDF
  • ZIP (regular and spanned)*
  • EICAR (standardized test file)
  • SWF (shockwave flash 6, 13, and uncompressed)

 

* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc.).

 

Configuration

You can enable AMP by setting the Mode to Enabled under the Advanced Malware Protection (AMP) section in Security & SD-WAN > Configure > Threat protection.

Monitoring

Monitoring of AMP events can be done using the Security Center page under Security & SD-WAN > Monitor > Security center.

Please see this article for more information on the Security Center.

Alerting

Email alerts can be configured for retrospective malware events in the Network-wide > Configure > Alerts page. To enable these, check the box for Malware is downloaded in the Alerts > Alerts Settings > Security appliance section. This alert will email the configured recipients when a retrospective AMP alert occurs, notifying the administrator that a file that has been downloaded now has a malicious disposition.