File and Malware Inspection Performance and Storage Tuning

The following topics describe how to configure file and malware inspection performance and storage:

File and Malware Inspection Performance and Storage Options

Increasing the file sizes can affect the performance of the system.

Table 1. Advanced Access Control File and AMP for Networks Options

Field

Description

Guidelines and Restrictions

Limit the number of bytes inspected when doing file type detection

Specifies the number of bytes inspected when performing file type detection.

0 - 4294967295 (4GB)

0 removes the restriction.

The default value is the maximum segment size of a TCP packet (1460 bytes). In most cases, the system can identify common file types using the first packet.

To detect ISO files, enter a value greater than 36870.

Allow file if cloud lookup for Block Malware takes longer than (seconds)

Specifies how long the system will hold the last byte of a file that matches a Block Malware rule and that does not have a cached disposition, while malware cloud lookup occurs. If the time elapses without the system obtaining a disposition, the file passes. Dispositions of Unavailable are not cached.

0 - 30 seconds

Do not set this option to 0 without contacting Support.

Cisco recommends that you use the default value to avoid blocking traffic because of connection failures.

Do not calculate SHA-256 hash values for files larger than (in bytes)

Prevents the system from storing files larger than a certain size, performing a malware cloud lookup on the files, or blocking the files if added to the custom detection list.

0 - 4294967295 (4GB)

0 removes the restriction.

This value must be greater than or equal to Maximum file size to store (bytes) and Maximum file size for dynamic analysis testing (bytes).

Minimum file size for advanced file inspection and storage (bytes)

These settings specify:

  • The file size that the system can inspect using the following detectors:

    • Spero analysis

    • Sandboxing and preclassification

    • Local malware analysis/ClamAV

    • Archive inspection

  • The file size that the system can store using a file rule.

0 - 10485760 (10MB)

0 disables file storage.

Must be less than or equal to Maximum file size to store (bytes) and Do not calculate SHA-256 hash values for files larger than (in bytes).

Maximum file size for advanced file inspection and storage (bytes)

0 - 10485760 (10MB)

0 disables file storage.

Must be greater than or equal to Minimum file size to store (bytes), and less than or equal to Do not calculate SHA-256 hash values for files larger than (in bytes).

Minimum file size for dynamic analysis testing (bytes)

Specifies the minimum file size the system can submit to the AMP cloud for dynamic analysis.

0 -10485760 (10MB)

Must be less than or equal to Maximum file size for dynamic analysis testing (bytes) and Do not calculate SHA-256 hash values for files larger than (in bytes).

The file size for dynamic analysis must be within the limits defined by the minimum and maximum settings for file analysis.

The system checks the AMP cloud for updates to the minimum file size you can submit (no more than once a day). If the new minimum size is larger than your current value, your current value is updated to the new minimum, and your policy is marked out-of-date.

Maximum file size for dynamic analysis testing (bytes)

Specifies the maximum file size the system can submit to the AMP cloud for dynamic analysis.

0 -10485760 (10MB)

Must be greater than or equal to Minimum file size for dynamic analysis testing (bytes), and less than or equal to Do not calculate SHA-256 hash values for files larger than (in bytes).

The file size for dynamic analysis must be within the limits defined by the minimum and maximum settings for file analysis.

The system checks the AMP cloud for updates to the maximum file size you can submit (no more than once a day). If the new maximum size is smaller than your current value, your current value is updated to the new maximum, and your policy is marked out-of-date.

Tuning File and Malware Inspection Performance and Storage

You must be an Admin, Access Admin, or Network Admin user to perform this task.

Procedure


Step 1

In the access control policy editor, click Advanced Settings.

Step 2

Click Edit (edit icon) next to Files and Malware Settings.

If View (view button) appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings. If the configuration is unlocked, uncheck Inherit from base policy to enable editing.

Step 3

Set any of the options described in File and Malware Inspection Performance and Storage Options.

Step 4

Click OK.

Step 5

Click Save to save the policy.


What to do next