File Policy Essentials – Cisco Malware and File Policy

File Policy Essentials

To monitor and control network-based file transfers, Secure Firewall offers a standalone policy known as a file policy. A file policy enables you to detect any file type, such as media files (.mp3, .mpeg) and executable files (.exe, .rpm). In addition, a threat defense can analyze a file for potential malware when the file traverses a network. By design, a threat defense can detect and block files based on their type before it performs lookups for malware.

Figure 16-1 shows the architectural diagram of the Secure Firewall engines. The figure highlights both components of a file policy—file type control and malware analysis—which are described in the following sections.

Figure 16-1 Processing of Packets by Various Components of Security Engines (Highlighting Malware and File Policy Operations)

 

 

File Type Detection

Secure Firewall uses the file magic numbers to identify the file format. The file magic numbers are a sequence of unique hex characters that are encoded in file headers. When a file traverses a network, a threat defense can match the file magic numbers from the stream of packets to determine the file format. For example, for a Microsoft executable (MSEXE) file, the file magic number is 4D 5A, and it is located at the beginning of the file. To find this number, Snort uses the following rule on the threat defense:

Click here to view code image

file type:MSEXE; id:21; category:Executables,Dynamic Analysis
Capable,Local Malware Analysis Capable; msg:”Windows/DOS
executable file “; rev:1; content: | 4D 5A|; offset:0;

Figure 16-2 demonstrates the magic number on a TCP packet. This packet is captured when a client downloads an executable file from a website. After completing the TCP three-way handshake, the server sends this information to the client.

Figure 16-2 Retrieving the Magic Number from the Stream of Packets

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *