File Rule Best Practices
Note the following guidelines and limitations when configuring file rules:
-
A rule configured to block files in a passive deployment does not block matching files. Because the connection continues to transmit the file, if you configure the rule to log the beginning of the connection, you may see multiple events logged for this connection.
-
A policy can include multiple rules. When you create the rules, ensure that no rule is "shadowed" by a previous rule.
-
The file types supported for dynamic analysis are a subset of the file types supported for other types of analysis. To view the file types supported for each type of analysis, navigate to the file rule configuration page, select the Block Malware action, and select the checkboxes of interest.
To ensure that the system examines all file types, create separate rules (within the same policy) for dynamic analysis and for other types of analysis.
-
If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the management center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored.
-
Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.
-
If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured files for dynamic analysis. Doing so can negatively impact system performance.
-
You cannot perform malware analysis on all file types detected by the system. After you select values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the system constrains the list of file types.