Override file disposition using custom lists
Override file disposition using custom lists is a security mechanism that
-
allows administrators to correct incorrect file dispositions from the AMP cloud by adding SHA-256 values to specific file lists
-
enables treating files as clean or malware regardless of the original cloud disposition, and
-
provides per-file policy control without reevaluating the file's disposition on subsequent detection.
File list types and usage
If a file has a disposition in the AMP cloud that you know to be incorrect, you can add the file's SHA-256 value to a file list that overrides the disposition from the cloud:
-
To treat a file as if the AMP cloud assigned a clean disposition, add the file to the clean list.
-
To treat a file as if the AMP cloud assigned a malware disposition, add the file to the custom detection list.
On subsequent detection, the device either allows or blocks the file without reevaluating the file's disposition. You can use the clean list or custom detection list per file policy.
Note | To calculate a file's SHA-256 value, you must configure a rule in the file policy to either perform a malware cloud lookup or block malware on matching files. |
For complete information about using file lists in Firepower, refer to File List.
Alternatively, if applicable, use Centralized file lists from Secure Endpoint.