Best practice on Exclusions

EnverSingh7603 — Fri, 21 Feb 2020 05:10:15 GMT

Hi,

Sorry if this has been asked previously.

If you are commencing with a new deployment of AMP on servers, which is the best way to start developing your exclusions?

I know there is a Cisco Maintained Exclusion set for Windows, but further to this what would be the best practice?

Is there a way to run a tool/script that audits potential files and processes to be considered for exclusions?

Thanks.

Re: Best practice on Exclusions

Troja007 — Wed, 07 Aug 2019 07:27:06 GMT

yes, you can/should use the Cisco Maintained exclusions. There are some points of view when installing AMP on a Server System.

Network monitoring: If the server provides services with high network activity, you should not install the DFC (network monitoring) component. You can, but there can be troubles. So test it.
Use the right exclusions.
The Tray icon can only connect once to the sfc.exe process from AMP. So, if there are multiple logged on users, you should disable the Tray icon in the policy.
Troubleshooting and determining the necessary exclusions.
- Exclude Applications with high disk activity.
- Exclude Application which are generating executable code. Take an eagle eye on development systems. 😉
- you can enable Debug Logging and generating a diagnostic file. The diagnostic file can be checked with a tool, which you can download from Github: https://github.com/CiscoSecurity/amp-05-windows-tune
Here is a cool explanation from Luis Velazquez generating a Report as well.
https://community.cisco.com/t5/advanced-threats/cisco-amp-100-usage-of-cpu/td-p/3877304

Hope this helps,

Greetings,

Thorsten