topic Hello Zaheer, in Endpoint Security

AMP for Endpoint auto scan

zaheer.jahangir1 — Fri, 21 Feb 2020 05:04:33 GMT

I have been working on AMP for network and Endpoints, at start I faced a lot of issues with servers which i gradually resolved with addition of exclusions but for the last few days I dont know how and why AMP connector starts scanning the endpoint and effects performance of the machine.
can anyone help me on this please.

Looking forward.

What kind of scan it is?

Dinesh Verma — Wed, 05 Jul 2017 21:11:52 GMT

What kind of scan it is? Automatic scan you've configured in policy? if yes, is it full or flash or custom scan? When you say it affects the performance, you mean CPU or Disk activity goes high? It crashes the system?

Verify the scheduled scan by editing the policy: File > Scheduled Scans

A Full scan will scan the processes running, the registry entries, and all the files on disk. This scan is very resource-intensive and should not be performed on a regular basis. So avoid full scan every time.

There is another scan by policy, verify if you've this configured:

https://console.amp.cisco.com/help/en/wwhelp/wwhimpl/js/html/wwhelp.htm

If you open up a TAC case with diagnostic file attached, that would be great.

well the memory gives spikes.

zaheer.jahangir1 — Sun, 09 Jul 2017 11:08:52 GMT

well the memory gives spikes...can i check what are the files and paths etc that are currently being checked by AMP, I mean those files folders that will not be a part of exclusions.
are these all running services, if yes then do we have to exclude all these running services, if yes then it is weird.

Hello Zaheer,

Jetsy Mathew — Sun, 09 Jul 2017 11:21:57 GMT

Hello Zaheer,

If you are seeing the memory spikes, then we need the diagnostics file . if its a version 5.1 , then you wont be be able to get the file counts and path which is continoulsy scanned by AMP by using the sqlite queries. if the version is below 5.1 then you can use the following article to run the sql query and get the list of files that are scanned.

http://www.cisco.com/c/en/us/support/docs/security/advanced-malware-protection-endpoints/118802-technote-fireamp-00.html

if you are using the version above 5 or 5.1 , then please open a TAC case and get the diagnostics in DEBUG mode so that team can help you in the fine tuning.

Rate if this answer helps.

Regards

Jetsy

Hi Jetsy,

zaheer.jahangir1 — Sun, 09 Jul 2017 11:30:40 GMT

Hi Jetsy,

Putting it in debug mode will not further effect the system?

Hello Zaheer,

Jetsy Mathew — Sun, 09 Jul 2017 14:49:33 GMT

Hello Zaheer,

Just enable the DEBUG and let it run for 15-20 minutes and generate the diagnostics file.

Enabling the DEBUG wont affect the system.

Regards

Jetsy

This debug must go to Cisco

zaheer.jahangir1 — Mon, 10 Jul 2017 05:23:14 GMT

This debug must go to Cisco or is the debug something like routers/switches and Firewalls which we can also have a look at or is there any special tool used for this by cisco.

Hello Zaheer,

Jetsy Mathew — Mon, 10 Jul 2017 12:00:30 GMT

Hello Zaheer,

refer the following link and you can obtain the diag file.

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118228-technote-fireamp-00.html

Let me know if you have any questions.

Also you can open a case with TAC by adding this diag file.

Regards

Jetsy

Thanks to all, I have fixed

zaheer.jahangir1 — Wed, 19 Jul 2017 05:08:11 GMT

Thanks to all, I have fixed the issue but checking the running services on the endpoints and excluding the necessary ones, the issue was due to a microsoft patch..

Hello Zaheer,

Jetsy Mathew — Thu, 20 Jul 2017 13:18:35 GMT

Hello Zaheer,

Its always important to identify your environment and exclude the necessary process based on the requirements.

This will improve the performance very well.

Here is the exclusion guide for your quick reference.

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html

Glad that you could resolve the issue.

Regards

Jetsy

Re: What kind of scan it is?

vaibhav58 — Sat, 20 Jan 2018 19:51:42 GMT

Hi All,

Is it possible to stop a scheduled scan from the console. we have an automated scan scheduled and we are having issues on the servers . Is there any option to kill it from the console.

Re: What kind of scan it is?

younus.khan — Thu, 06 Dec 2018 20:55:32 GMT

Can you pls explain me how this AMP works. I have 36 required attentions in my inbox status.

How can I get rid of this 36 attentions