topic Re: Remove detected items in AMP in Endpoint Security

Remove detected items in AMP

anousakisioannis — Fri, 21 Feb 2020 05:08:48 GMT

Hello all,

I ran a full scan in AMP for a client and it returned the below message:

Scanned 244494 files, 109 processes, 37615 paths. Found 2 malicious items.

When i expand the event, i cannot see these malicious items.

After the "Scan Started" event it has quarantined 2 malwares. Are, these 2 events, the malicious items that mention in the summary?

Thank you

Re: Remove detected items in AMP

Wojciech Cecot — Wed, 24 Apr 2019 11:37:53 GMT

Hello Sir,

Yes, most probably those will be the files from the full scan. Let me share example from the lab:

There is also another way, you can look for specific file in Device Trajectory (from the Events section), for example:

It will show up details with information: "Detected (...) during a full scan.":

Hope that helps,

Wojciech

Re: Remove detected items in AMP

anousakisioannis — Wed, 24 Apr 2019 12:03:02 GMT

Hello Wojciech,

I have the exact same output. Thank you for your response!

I would like to ask you something more.

I have noticed that AMP raises events the exact same time, for the same file(malware,trojan,etc...) with 2 different statuses (Quarantine:Failed , Quarantine:Successful) for the same user.

Below an example

How should i treat such events? Have it quarantined it or not ?

NOTE: I have also noticed that AMP may raise many Quarantine:Failed events for a file and one(or none) Quarantine:Successful

Thank you,

Giannis

Re: Remove detected items in AMP

anousakisioannis — Wed, 24 Apr 2019 12:04:41 GMT

Hello Wojciech,

I have the exact same output. Thank you for your response!

I would like to ask you something more.

I have noticed that AMP raises events the exact same time, for the same file(malware,trojan,etc...) with 2 different statuses (Quarantine:Failed , Quarantine:Successful) for the same user.

Below an example

How should i treat such events? Have it quarantined it or not ?

NOTE: I have also noticed that AMP may raise many Quarantine:Failed events for a file and one(or none) Quarantine:Successful

Thank you,

Giannis

Re: Remove detected items in AMP

Wojciech Cecot — Wed, 24 Apr 2019 12:23:04 GMT

Hello Giannis,

You are welcome. Regarding your another query, that is quite common. The reason AMP could not quarantine may be:
- it could be that another process (may be another AV) had already moved the file from that location,
- it could be permission issue that another process or AV had stopped AMP from getting handle on that file,
- sometimes there is follow up quarantine successful event (your case) after quarantine failed, that means that some other process had handle on that file before.

The quarantine fail event just happened to come above the successful (most probably because of sorting while that is the same timestamp). However, the successful quarantine would indicate that the file was quarantined properly.

--Wojciech

Re: Remove detected items in AMP

anousakisioannis — Fri, 17 May 2019 09:59:50 GMT

Hello Wojciech,

Sorry for reopening this case but i have a question that matches in this conversation.

I tried to manually delete the quarantines files from C:\Program Files\Cisco\AMP\Quarantine but i couldn't due to permissions access and i was logged in as admin.

Do you know why is this happening?

Is there any way to manually delete the quarantined files or from the management console?

Regards,

Giannis

Re: Remove detected items in AMP

Matthew Franks — Fri, 17 May 2019 11:40:40 GMT

Giannis,

You'll need to stop the service before you can delete the files.

Thanks,

Matt

Re: Remove detected items in AMP

VineeshKV89423 — Tue, 23 Jun 2020 06:47:55 GMT

@Wojcieh Cecot : So how can we find out which quarantine failed is really failed??? Since it may include the entries which are already quarantined.