https://community.cisco.com/t5/endpoint-security/amp/m-p/3810085#M3106 <P>Juan,</P> <P>&nbsp;</P> <P>You are correct that they will remain In Progress until you mark them as Resolved.&nbsp; As for the Malware Executed, there are a number of reasons you may see this, most common being that the policy was in Audit mode.&nbsp; If you would like someone to take a closer look, I recommend opening a TAC case.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Matt</P> Tue, 26 Feb 2019 16:03:57 GMT Matthew Franks 2019-02-26T16:03:57Z https://community.cisco.com/t5/endpoint-security/amp/m-p/3809466#M3103 <P>Hello, evaluating AMP for Endpoints first configuring policy to Audit, and after that first scan I change computers to group of Protect, check image attached, and my question is, how to apply the actions??&nbsp; There are files detected that I delete it and still being reported by AMP.</P> <P>&nbsp;</P> <P>On Requiere Attention I enabled, but it´s been more than 4 days with events In Progress but nothing does.&nbsp; How can I apply actions to take AMP?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Juan Carlos Arias</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 05:08:05 GMT https://community.cisco.com/t5/endpoint-security/amp/m-p/3809466#M3103 Juan Carlos Arias Perez 2020-02-21T05:08:05Z https://community.cisco.com/t5/endpoint-security/amp/m-p/3809477#M3104 <P>Juan,</P> <P>&nbsp;</P> <P>Those will not automatically be marked as Resolved.&nbsp; When there is an event in the Requires Attention section, you can click the Begin Work button which will move it into the In Progress section.&nbsp; Then, you can click Mark Resolved when you are finished.&nbsp; This is done manually by a user as a way to track tasks, not automatically by anything on AMP's side.&nbsp; I hope that clears things up for you!</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Matt</P> Tue, 26 Feb 2019 00:05:42 GMT https://community.cisco.com/t5/endpoint-security/amp/m-p/3809477#M3104 Matthew Franks 2019-02-26T00:05:42Z https://community.cisco.com/t5/endpoint-security/amp/m-p/3809984#M3105 <P>Hello Matthew, thanks for your comments, I made the steps you mention, but events remain In Progress tab until you select it and Mark Resolved, is this correct??</P> <P>&nbsp;</P> <P>But, on events of this Computer, I can see that some events actions like Policy Update, Scan Clean, Scan Started, and I can see one that it says Executed Malware, what are the recommended actions for this event??</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AMP2.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/30950iB4D903FF113BAEDB/image-size/large?v=v2&amp;px=999" role="button" title="AMP2.jpg" alt="AMP2.jpg" /></span></P> <P>&nbsp;</P> <P>Regards,</P> <P>Juan Carlos Arias</P> <P>&nbsp;</P> Tue, 26 Feb 2019 14:41:10 GMT https://community.cisco.com/t5/endpoint-security/amp/m-p/3809984#M3105 Juan Carlos Arias Perez 2019-02-26T14:41:10Z https://community.cisco.com/t5/endpoint-security/amp/m-p/3810085#M3106 <P>Juan,</P> <P>&nbsp;</P> <P>You are correct that they will remain In Progress until you mark them as Resolved.&nbsp; As for the Malware Executed, there are a number of reasons you may see this, most common being that the policy was in Audit mode.&nbsp; If you would like someone to take a closer look, I recommend opening a TAC case.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Matt</P> Tue, 26 Feb 2019 16:03:57 GMT https://community.cisco.com/t5/endpoint-security/amp/m-p/3810085#M3106 Matthew Franks 2019-02-26T16:03:57Z https://community.cisco.com/t5/endpoint-security/amp/m-p/3810392#M3107 <P>Matthew, I´m evaluating the solution so I can´t open a case on TAC yet and my policy is to Protect.&nbsp; What I can see is that you need another software to complement the solution, like an AV or FW, is this correct??&nbsp;&nbsp; I´m saying this based on the actions that can be made after detecting malware or virus or something else, just trying to understand, thanks.</P> Tue, 26 Feb 2019 22:06:58 GMT https://community.cisco.com/t5/endpoint-security/amp/m-p/3810392#M3107 Juan Carlos Arias Perez 2019-02-26T22:06:58Z https://community.cisco.com/t5/endpoint-security/amp/m-p/3810395#M3108 <P>Juan,</P> <P>&nbsp;</P> <P>If you are in a POV, you can ask your Account Manager to open a case on your behalf with the appropriate logs from the system.&nbsp; With Malware Executed events, what typically takes place is a malicious process attempted to execute and AMP quarantined it.&nbsp; Look for a Quarantine event at the same time for the same file.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Matt</P> Tue, 26 Feb 2019 22:09:59 GMT https://community.cisco.com/t5/endpoint-security/amp/m-p/3810395#M3108 Matthew Franks 2019-02-26T22:09:59Z https://community.cisco.com/t5/endpoint-security/amp/m-p/3810397#M3109 You´re right Matthew, some files have been moved to Quarantine, I didn´t notice that before.<BR />Regards, Tue, 26 Feb 2019 22:15:47 GMT https://community.cisco.com/t5/endpoint-security/amp/m-p/3810397#M3109 Juan Carlos Arias Perez 2019-02-26T22:15:47Z