Configuring an Access Control Rule to Perform Malware Protection
Caution | Enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analysis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. |
Note | Inline normalization is enabled automatically when a file policy is included in an access control rule. For more information, see The Inline Normalization Preprocessor. |
Before you begin
-
Adaptive profiling must be enabled (its default state) as described in Configuring Adaptive Profiles for access control rules to perform file control, including AMP.
-
You must be an Admin, Access Admin, or Network Admin user to perform this task.
Procedure
Step 1 | In the access control rule editor (from Policies > Access Control), choose an Action of Allow, Interactive Block, or Interactive Block with reset. | ||
Step 2 | Choose a File Policy to inspect traffic that matches the access control rule, or choose None to disable file inspection for matching traffic. | ||
Step 3 | (Optional) Disable logging of file or malware events for matching connections by clicking Logging and unchecking Log Files.
| ||
Step 4 | Save the rule. | ||
Step 5 | Click Save to save the policy. |
What to do next
-
Deploy configuration changes.