Skip to main content

 

Cisco Meraki Documentation

Advanced Malware Protection (AMP)

Overview

Advanced Malware Protection (AMP) is an industry-leading anti-malware technology from Sourcefire®, integrated into MX Security Appliances.

Important updates required for MX to AMP and Threat Grid communications were implemented. To ensure that MX’s AMP and Threat Grid services continue to function as expected, please upgrade to these firmware versions or higher.

  • MX 14.56 and up

  • MX 15.43 and up

  • MX 16.7 and up

AMP enabled MX devices will need to be upgraded prior to the second half of 2023. As timelines approach the later half of 2023, a more concrete date will be shared.

Threat Grid enabled MX devices will need to be upgraded prior to Feb 2023. 

Note: If AMP enabled MX devices are not upgraded prior to the above mentioned dates, AMP will fail to connect to AMP Cloud and result in a fail closed behavior. This will cause all AMP inspected file downloads to be blocked unless AMP is manually disabled.

Note: 

  • AMP firmware upgrade date has been extended to the second half of  2023 instead of the initial communicated date Dec 1, 2021. As timelines approach the first quarter of 2023, a more concrete date will be shared.
  • Threat Grid firmware upgrade date has been extended to Feb 2023 instead of the initial communicated date Oct 1, 2021.

Traffic Analysis must be enabled under Network-wide > Configure > General > Traffic analysis for AMP to function.

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Key Concepts

It is important to understand several key concepts with AMP:

Disposition

A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.

There are three file dispositions:

  • Clean - The file is known to be good.
  • Malicious - The file is known to be harmful.
  • Unknown - There is insufficient data to classify the file as clean or malicious.

Retrospection

Sometimes files will change disposition, based on new threat intelligence gained by the AMP cloud. This reclassification can also generate retrospective alerts and notifications.

AMP Integration Overview

The MX Security Appliance will block HTTP-based file downloads based on the disposition received from the AMP cloud. If the MX receives a disposition of malicious for the file download, it will be blocked. If the MX receives a disposition of clean or unknown, the file download will be allowed to complete.

 

The supported file types for inspection are:

  • MS OLE2 (.doc, .xls, .ppt)
  • MS Cabinet (Microsoft compression type)
  • MS EXE (Microsoft executable)
  • ELF (Linux executable)
  • Mach-O/Unibin (OSX executable)
  • DMG (Apple Disk Image)
  • Java (class/bytecode, jar, serialization)
  • PDF
  • ZIP (regular and spanned)*
  • EICAR (standardized test file)
  • SWF (shockwave flash 6, 13, and uncompressed)

 

* This includes the inspection of XML-based Microsoft Office file types (.docx, .xlsx, etc.).

 

Configuration

You can enable AMP by setting the Mode to Enabled under the Advanced Malware Protection (AMP) section in Security & SD-WAN > Configure > Threat protection.

Monitoring

Monitoring of AMP events can be done using the Security Center page under Security & SD-WAN > Monitor > Security center.

Screenshot of security center filter dropdown menu that contains three main criteria. These include the network, event type, disposition and action. The options 'Current Network only', 'Malware detection', 'Malicious' and 'blocked' selected, with the other options not selected. The unselected options are 'IDS', 'clean' and 'Blocked'.

Please see this article for more information on the Security Center.

Alerting

Email alerts can be configured for retrospective malware events in the Network-wide > Configure > Alerts page. To enable these, check the box for Malware is downloaded in the Alerts > Alerts Settings > WAN appliance section. This alert will email the configured recipients when a retrospective AMP alert occurs, notifying the administrator that a file that has been downloaded now has a malicious disposition.

  • Was this article helpful?