Advanced Malware Protection (AMP)
Overview
Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from Sourcefire®, integrated into MX Security Appliances.
AMP is available only with Advanced Security Edition licensing and SD-WAN Licensing
Important updates required for MX to AMP and Threat Grid communications were implemented. To ensure that MX’s AMP and Threat Grid services continue to function as expected, please upgrade to these firmware versions or higher.
-
MX 14.56 and up
-
MX 15.43 and up
-
MX 16.7 and up
AMP enabled MX devices will need to be upgraded prior to the second half of 2023. As timelines approach the later half of 2023, a more concrete date will be shared.
Threat Grid enabled MX devices will need to be upgraded prior to Feb 2023.
Note: If AMP enabled MX devices are not upgraded prior to the above mentioned dates, AMP will fail to connect to AMP Cloud and result in a fail closed behavior. This will cause all AMP inspected file downloads to be blocked unless AMP is manually disabled.
Note:
- AMP firmware upgrade date has been extended to the second half of 2023 instead of the initial communicated date Dec 1, 2021. As timelines approach the first quarter of 2023, a more concrete date will be shared.
- Threat Grid firmware upgrade date has been extended to Feb 2023 instead of the initial communicated date Oct 1, 2021.
Traffic Analysis must be enabled under Network-wide > Configure > General > Traffic analysis for AMP to function.
Learn more with these free online training courses on the Meraki Learning Hub:
Key Concepts
It is important to understand several key concepts with AMP:
Disposition
A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.
There are three file dispositions:
- Clean - The file is known to be good.
- Malicious - The file is known to be harmful.
- Unknown - There is insufficient data to classify the file as clean or malicious.
Retrospection
Sometimes files will change disposition, based on new threat intelligence gained by the AMP cloud. This reclassification can also generate retrospective alerts and notifications.
AMP Integration Overview
The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.
The supported file types for inspection are:
- MS OLE2 (.doc, .xls, .ppt)
- MS Cabinet (Microsoft compression type)
- MS EXE (Microsoft executable)
- ELF (Linux executable)
- Mach-O/Unibin (OSX executable)
- DMG (Apple Disk Image)
- Java (class/bytecode, jar, serialization)
- ZIP (regular and spanned)*
- EICAR (standardized test file)
- SWF (shockwave flash 6, 13, and uncompressed)
* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc.).
Configuration
You can enable AMP by setting the Mode to Enabled under the Advanced Malware Protection (AMP) section in Security & SD-WAN > Configure > Threat protection.
Monitoring
Monitoring of AMP events can be done using the Security Center page under Security & SD-WAN > Monitor > Security center.
Please see this article for more information on the Security Center.
Alerting
Email alerts can be configured for retrospective malware events in the Network-wide > Configure > Alerts page. To enable these, check the box for Malware is downloaded in the Alerts > Alerts Settings > WAN appliance section. This alert will email the configured recipients when a retrospective AMP alert occurs, notifying the administrator that a file that has been downloaded now has a malicious disposition.