Skip to main content
Cisco Meraki

Advanced Malware Protection (AMP)


Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from Sourcefire®, integrated into MX Security Appliances.

Key Concepts

It is important to understand several key concepts with AMP:


A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.

There are three file dispositions:

  • Clean - The file is known to be good.
  • Malicious - The file is known to be harmful.
  • Unknown - There is insufficient data to classify the file as clean or malicious.


Sometimes files will change disposition, based on new threat intelligence gained by the AMP cloud. This reclassification can also generate retrospective alerts and notifications.

AMP Integration Overview

The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.


The supported file types for inspection are:

  • MS OLE2 (.doc, .xls, .ppt)
  • MS Cabinet (Microsoft compression type)
  • MS EXE (Microsoft executable)
  • ELF (Linux executable)
  • Mach-O/Unibin (OSX executable)
  • DMG (Apple Disk Image)
  • Java (class/bytecode, jar, serialization)
  • PDF
  • ZIP (regular and spanned)*
  • EICAR (standardized test file)
  • SWF (shockwave flash 6, 13, and uncompressed)


* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc.).



You can enable AMP by setting the Mode to Enabled under the Advanced Malware Protection (AMP) section in Security & SD-WAN > Configure > Threat protection.


Monitoring of AMP events can be done using the Security Center page under Security & SD-WAN > Monitor > Security center.

Please see this article for more information on the Security Center.


Email alerts can be configured for retrospective malware events in the Network-wide > Configure > Alerts page. To enable these, check the box for Malware is downloaded in the Alerts > Alerts Settings > Security appliance section. This alert will email the configured recipients when a retrospective AMP alert occurs, notifying the administrator that a file that has been downloaded now has a malicious disposition.

  • Was this article helpful?