Cisco SD-WAN Advanced Malware Protection (AMP) is a security service that allows edge routers to inspect file downloads and detect, contain, and remove malware in real-time. AMP uses the Snort engine running on edge routers and leverages two cloud-based security services:

  • AMP Cloud - a context-rich malware database that provides information about encountered files based on millions of samples across thousands of customers. The knowledge-based service is provided by Cisco Talos, which is one of the largest and most trusted commercial cybersecurity providers in the world.
  • Secure Malware Analytics (formerly known as Threat Grid) - a unified security solution that provides thread intelligence and advanced sandboxing. The service detonates unknown files in a sandboxing environment and then analyzes their behavior against millions of samples and malware indicators.

Figure 1 illustrates a high overview of the Advanced Malware Protection (AMP) process on a WAN edge router.

Advanced Malware Protection (AMP) Overview
Figure 1. Advanced Malware Protection (AMP) Overview

How AMP works?

When an AMP security policy is enabled on an edge router, it intercepts file downloads. When the router detects a file download, it performs the following actions, as shown in figure 1 above:

  1. The router sends the file to the Snort file pre-processor for identification.
  2. The Snort engine computes the SHA256 hash for the requested file and makes a local cache lookup to decide whether the hash is known to be clean or malicious.
  3. If the hash does not match an entry in the local cache, the router sends the hash plus a context to the AMP cloud for further identification.
  4. The AMP cloud matches the SHA256 hash against the context-rich malware database and responds back with a file reputation score.
  5. The WAN edge router decides whether or not to allow the file download based on the following three responses by the AMP cloud:
    1. Clean - if the AMP cloud responds that the file is "clean," the router allows the file download to complete.
    2. Unknown - the scariest scenario for security engineers is when the AMP cloud responds that the file is unknown. The router allows the file download to complete and, depending on the config, sends the file for analysis.
      1. File Analysis - If File Analysis is configured in the AMP policy, the edge router sends the file to ThreadGrid for detonation in a sandbox VM. During detonation, the sandbox captures hundreds of indicators of the behavior of the file, then gives an overall thread score from 1 through 100 (lower is better). Then ThreadGrid reports the score to the AMP cloud so that the next time the file is encountered, it's treated accordingly. Keep in mind that Thread Grid requires a separate account.
      2. Retrospection - Information about files is maintained and re-evaluated long after a file is downloaded by a host. Thread Grid could detect malicious activity by a sandboxed file hours after it was first detonated. Then it changes the thread score of the file based on the new findings and generates automatic retrospective notifications.
    3. Malicious - if the AMP cloud responds that the file is known to be bad, the router interrupts the file download.

AMP Configuration Workflow

Figure 2 below illustrates a summary of the configuration steps required to enable an Advanced Malware Protection (AMP) policy in Cisco SD-WAN:

AMP Configuration Workflow
Figure 2. AMP Configuration Workflow
  1. To apply an AMP policy to an edge router, we must upload the necessary UTD container image to vManage's software repository, as described in the IPS lessons of this section. The UTD container image is packaged in TAR format and is downloadable from the software.cisco.com page.
  2. Like all UTD policies available in vMange, we always start by configuring a new security policy following one of the pre-defined workflows or directly going to the Custom options and creating a new AMP policy. The security policy is a logical container of all Firewall and UTD policies that we will configure on the edge router templates (hence configuring the routers having this device template attached).
  3. Within the AMP policy page, the first thing we configure is the VPN(s) that will be inspected by the AMP engine. We specify the AMP and TG cloud regions that are in the closest geographical proximity to the routers' location in order to have optimal network connectivity. Then, we define whether File Analysis is enabled and the Thread Grid API key necessary for sending files for sandboxing.
  4. Lastly, before attaching the security policy to the respective device template, we must configure a Secure App Hosting Feature Template.
  5. The last step is to attach the security policy to the device template attached to the edge router (s). Keep in mind that a NAT DIA route must be present in the targeted VPNs to apply an Advanced Malware Protection policy. If a UTD policy has never been applied to the router(s) before, vManage will automatically initiate a UTD container installation, which takes some time.

Figure 2 shows the order of operation in which the security features takes place. Notice that the Advanced Malware Protection occurs after the Enterprise Firewall, IPS, and URL-F policies.