File and Malware Inspection Performance and Storage Options
Increasing the file sizes can affect the performance of the system.
Caution | For Classic devices only, configuring Configuring a non-default value under Files and Malware Settings restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. |
Field |
Description |
Guidelines and Restrictions |
---|---|---|
Limit the number of bytes inspected when doing file type detection |
Specifies the number of bytes inspected when performing file type detection. |
0 - 4294967295 (4GB) 0 removes the restriction. The default value is the maximum segment size of a TCP packet (1460 bytes). In most cases, the system can identify common file types using the first packet. To detect ISO files, enter a value greater than 36870. |
Allow file if cloud lookup for Block Malware takes longer than (seconds) |
Specifies how long the system will hold the last byte of a file that matches a Block Malware rule and that does not have a cached disposition, while malware cloud lookup occurs. If the time elapses without the system obtaining a disposition, the file passes. Dispositions of Unavailable are not cached. |
0 - 30 seconds Do not set this option to 0 without contacting Support. Cisco recommends that you use the default value to avoid blocking traffic because of connection failures. |
Do not calculate SHA-256 hash values for files larger than (in bytes) |
Prevents the system from storing files larger than a certain size, performing a malware cloud lookup on the files, or blocking the files if added to the custom detection list. |
0 - 4294967295 (4GB) 0 removes the restriction. This value must be greater than or equal to Maximum file size to store (bytes) and Maximum file size for dynamic analysis testing (bytes). |
Minimum file size to store (bytes)Minimum file size for advanced file inspection and storage (bytes) |
These settings specify:
|
0 - 10485760 (10MB) 0 disables file storage. Must be less than or equal to Maximum file size to store (bytes) and Do not calculate SHA-256 hash values for files larger than (in bytes). |
Maximum file size to store (bytes)Maximum file size for advanced file inspection and storage (bytes) |
0 - 10485760 (10MB) 0 disables file storage. Must be greater than or equal to Minimum file size to store (bytes), and less than or equal to Do not calculate SHA-256 hash values for files larger than (in bytes). | |
Minimum file size for dynamic analysis testing (bytes) |
Specifies the minimum file size the system can submit to the AMP cloud for dynamic analysis. |
0 -10485760 (10MB) Must be less than or equal to Maximum file size for dynamic analysis testing (bytes) and Do not calculate SHA-256 hash values for files larger than (in bytes). The file size for dynamic analysis must be within the limits defined by the minimum and maximum settings for file analysis. If you deploy to a device running Firepower Version 5.x, the system changes all values less than 15360, to 15360. The system checks the AMP cloud for updates to the minimum file size you can submit (no more than once a day). If the new minimum size is larger than your current value, your current value is updated to the new minimum, and your policy is marked out-of-date. |
Maximum file size for dynamic analysis testing (bytes) |
Specifies the maximum file size the system can submit to the AMP cloud for dynamic analysis. |
0 -10485760 (10MB) Must be greater than or equal to Minimum file size for dynamic analysis testing (bytes), and less than or equal to Do not calculate SHA-256 hash values for files larger than (in bytes). The file size for dynamic analysis must be within the limits defined by the minimum and maximum settings for file analysis. If you deploy to a device running Firepower Version 5.x, the system changes all values greater than 2097152, to 2097152. The system checks the AMP cloud for updates to the maximum file size you can submit (no more than once a day). If the new maximum size is smaller than your current value, your current value is updated to the new maximum, and your policy is marked out-of-date. |