An engineer has been tasked with using Cisco FMC to determine if files being sent through the network are malware. Which two configuration tasks must be performed to achieve this file lookup? (Choose two.)
A.
The Cisco FMC needs to include a SSL decryption policy.
B.
The Cisco FMC needs to connect to the Cisco AMP for Endpoints service.
C.
The Cisco FMC needs to connect to the Cisco ThreatGrid service directly for sandboxing.
D.
The Cisco FMC needs to connect with the FireAMP Cloud.
E.
The Cisco FMC needs to include a file inspection policy for malware lookup.
I believe the correct answers are A and E. Bobster is referencing local malware analysis requirements, but we have no information that local malware analysis is begin used. By default theat grid is used, and threat grid needs no configuration on the FMC to connect to the cloud. The question states "which configuration tasks" - we dont need to do anything related to threat grid afaik. Also, if all file downloads going through the firewall are encrypted, then C and E would accomplish nothing.
A. The Cisco FMC needs to include a SSL decryption policy.
> NO, this is Optional
B. The Cisco FMC needs to connect to the Cisco AMP for Endpoints service.
> NO these connect to "secure endpoint console", not to FMC. Tointegrate with AMP, they can send their data to AMP cloud (private or public),but not to FMC
C. The Cisco FMC needs to connect to the Cisco ThreatGrid service directly for sandboxing.
> NO direct connection is needed. Connection through a proxy is also possible
D. The Cisco FMC needs to connect with the FireAMP Cloud.
> YES - cloud can be private or public, but a connection IS required
E. The Cisco FMC needs to include a file inspection policy for malware lookup.
> YES - without filie policies, no files will be scanned.
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/file_policies_and_advanced_malware_protection.html#ID-2193-00000132
My answer are D and E. D should be adjusted from FireAMP to AMP Private Cloud
If your organization has high privacy requirements that restrict using a public cloud, the Cisco Advanced Malware Protection (AMP) Private Cloud Virtual Appliance is an on-premises, air-gapped option.
A: because you can't inspect any traffic that it's encrypted ( majority of the traffic ):
You can use SSL decryption policies to turn encrypted traffic into plain text traffic, so that you can then apply URL filtering, intrusion and malware control
Option E is mandatory.
A can be, but not necessary (i still can inspect malware in http and ftp protocols whitout ssl inspection)
C seems more precise.
Cisco Threat Grid runs the file in a sandbox environment, analyzes the file's behavior to determine whether the file is malicious, and returns a threat score that indicates the likelihood that a file contains malware. From the threat score, you can view a dynamic analysis summary report with the reasons for the assigned threat score. You can also look in Cisco Threat Grid to view detailed reports for files that your organization submitted, as well as scrubbed reports with limited data for files that your organization did not submit.
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_policies_and_advanced_malware_protection.html
D&E - the operative key in the question: "To achieve this file lookup". SSL decryption is not needed to perform the lookup. SSL Decryption -To be able to test the traffic if encrypted--yes but not to perform the lookup.
You can't perform any file lookul if the connection is TLS-ed!
Try yourself to pass an EICAR file through a SSL connection and see if it is stopped. The only protection you can apply on SSL flows are URL categories and DNS Reputation check
The two configuration tasks that must be performed in order to use Cisco FMC to determine if files being sent through the network are malware are:
E. The Cisco FMC needs to include a file inspection policy for malware lookup.
B. The Cisco FMC needs to connect to the Cisco AMP for Endpoints service.
Explanation:
E. The Cisco FMC needs to include a file inspection policy for malware lookup:
A file inspection policy can be used to inspect and analyze files that are transmitted over the network to determine if they contain malware. By configuring a file inspection policy in Cisco FMC, you can specify the types of files that should be inspected, the types of malware to look for, and the actions to take when malware is detected.
B. The Cisco FMC needs to connect to the Cisco AMP for Endpoints service:
By connecting to the Cisco AMP for Endpoints service, Cisco FMC can leverage the advanced threat intelligence provided by AMP to analyze and identify potential malware threats in network traffic.
You dont NEED SSL decryption, as files can be transmitted over literally any port in cleartext.
You also dont need sandboxing, but what you DO need is a connection to the public AMP or a private AMP cloud. So Im choosing DE
Agreed.
Its not B. From the config guide "(Optional) Malware Protection with AMP for Endpoints", B is optional.
A is also optional
It's clearly D because of the following from the guide:
"If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the Firepower Management Center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored."
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_policies_and_advanced_malware_protection.html#id_96014
I would go with original C and E. Cisco configuration guide stipulates that:
Local malware analysis does not require establishing communications with the Cisco Threat Grid cloud. However, you must configure communications with the cloud to submit files pre classified as malware for dynamic analysis, and to download updates to the local malware analysis rule set.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
netwguy
Highly Voted 2 years, 11 months agoz6st2a1jv
Highly Voted 10 months agoz6st2a1jv
10 months agogwb
5 months, 2 weeks agobds90
Most Recent 6 months, 3 weeks agowhysohardwhy
1 week, 1 day agoDreng65
1 year, 1 month agoSegaMasterSystemAdmin
1 year, 2 months agoTHEODORABLE
1 year, 3 months agoSilexis
3 weeks agoJoe_Blue
1 year, 5 months agomatan24
1 year, 4 months agoureis
1 year, 3 months agoBaumb
1 year, 6 months agoJoninjimbo
10 months agoJmonteiro33
1 year, 11 months agodique
1 year, 11 months agoxziomal9
2 years, 2 months agoxYanivDx
2 years, 3 months agohz033
2 years, 3 months agotrickbot
2 years, 6 months agoSarbi
2 years, 10 months agoBobster02
3 years, 2 months agokakakayayaya
3 years, 2 months ago