Override File Disposition Using Custom Lists

If a file has a disposition in the AMP cloud that you know to be incorrect, you can add the file’s SHA-256 value to a file list that overrides the disposition from the cloud:

  • To treat a file as if the AMP cloud assigned a clean disposition, add the file to the clean list.

  • To treat a file as if the AMP cloud assigned a malware disposition, add the file to the custom detection list.

On subsequent detection, the device either allows or blocks the file without reevaluating the file's disposition. You can use the clean list or custom detection list per file policy.

Note
To calculate a file's SHA-256 value, you must configure a rule in the file policy to either perform a malware cloud lookup or block malware on matching files.

For complete information about using file lists in Firepower, see File List.

Alternatively, if applicable, use Centralized File Lists from AMP for Endpoints.