topic Re: AMP - Microsoft Cluster aware in Endpoint Security

AMP - Microsoft Cluster aware

techytuesday — Fri, 21 Feb 2020 05:11:35 GMT

Is Cisco AMP for Endpoints cluster aware? Are there certain exclusions that need to be in place for Microsoft SQL Clustering?

Re: AMP - Microsoft Cluster aware

kurt.westenhoefer@denbury.com — Fri, 10 Jan 2020 13:13:19 GMT

Did you have any luck tracking this down?

Re: AMP - Microsoft Cluster aware

martinmecu — Mon, 26 Oct 2020 13:33:28 GMT

I guess still no response from Cisco? We have run into issues with 2 SQL Clusters so far.

Re: AMP - Microsoft Cluster aware

Davedog — Mon, 26 Oct 2020 15:42:40 GMT

its a new problem for us, I'm just starting out looking into it.

Re: AMP - Microsoft Cluster aware

techytuesday — Mon, 26 Oct 2020 16:59:26 GMT

Try disabling the Malicious Activity Protection under Modes and Engines within the policy. See if this resolves your issue.

Re: AMP - Microsoft Cluster aware

Troja007 — Thu, 29 Oct 2020 19:18:10 GMT

Hello all,
some hints from my side.

you may install the connector with the /skipdfc 1 command, to skip the network driver installation. For systems with very high network activity, it can be tricky to monitor the network traffic.
Have seen another discussion, where disabling MAP can helped. You may disable at least the "Monitor network drives" under Advanced Settings -> Engines -> Malicious Activity Protection.
I also suggest to exclude cluster related processes from scanning and the quorum disk.

Greetings,
Thorsten

Re: AMP - Microsoft Cluster aware

techytuesday — Thu, 29 Oct 2020 19:59:29 GMT

Hi Thorsten, I didnt realize the setting under Advanced Settings Engines for MAP for Monitor network drives was there. So are you saying you can just turn it off there and leave it enabled under Modes and Engines -> Conviction Modes -> Malicious Activity Protection still be protected from ransomware which is MAPs purpose? What is the difference between the two settings? Wouldnt one require the other?