https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4173823#M5751 <P>I believe we were able to resolve this by creating a new policy for just those servers and disabling the Malicious Acitivity Protection option.</P> Mon, 26 Oct 2020 17:00:53 GMT techytuesday 2020-10-26T17:00:53Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4173781#M5747 <P>We are having issues with AMP for Endpoints installed on Windows Server 2012 R2&nbsp; servers with SQL clustering.</P><P>it appears the cluster volume store is not accessible by the cluster if AMP is installed.&nbsp; We have not implemented any exclusions other than the CISCO maintained exclusions at this point.&nbsp; &nbsp;Does anyone have any recommendations for solving this issue?</P> Mon, 26 Oct 2020 15:53:59 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4173781#M5747 Davedog 2020-10-26T15:53:59Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4173823#M5751 <P>I believe we were able to resolve this by creating a new policy for just those servers and disabling the Malicious Acitivity Protection option.</P> Mon, 26 Oct 2020 17:00:53 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4173823#M5751 techytuesday 2020-10-26T17:00:53Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4175878#M5762 <P>Thank you. We checked with Cisco and indeed disabling MAP (not placing in audit, but disabling) worked and in fact MAP is not recommended by Cisco for server deployments.</P> Thu, 29 Oct 2020 15:05:11 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4175878#M5762 Davedog 2020-10-29T15:05:11Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4176059#M5769 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/883368">@Davedog</a>,<BR />glad to here you solved your problem. BTW, for servers with high network activity you may install the endpoint with the /skipdfc 1 option. This skips the installation of the network drivers.</P> <P>In addition, to figure out what is going on with the endpoint, you can use the following tools.</P> <UL> <LI><A href="https://github.com/CiscoSecurity/amp-05-windows-tune" target="_blank">https://github.com/CiscoSecurity/amp-05-windows-tune</A></LI> <LI><A href="https://github.com/CiscoSecurity/amp-05-health-checker-windows" target="_blank">https://github.com/CiscoSecurity/amp-05-health-checker-windows</A></LI> </UL> <P>Greetings,<BR />Thorsten</P> Thu, 29 Oct 2020 19:07:52 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4176059#M5769 Troja007 2020-10-29T19:07:52Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4176090#M5773 <P>This isn't really a solution though. It works but disabling MAP leaves you vulnerable to ransonware.&nbsp; Its the only thing that has worked from what I have seen.&nbsp; We install the client on servers with the /skipdfc 1 switch and Device Network Flow correlation is not enabled on the policy.&nbsp; Thorsten, since you are a Cisco employee do you know or have seen in the knowledge base any other way to make this work without disabling MAP.&nbsp; Its more of a workaround not really a solution.</P> Thu, 29 Oct 2020 19:48:00 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4176090#M5773 techytuesday 2020-10-29T19:48:00Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4176264#M5776 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/879022">@techytuesday</a>,<BR />true, disabling an engine or having multiple exclusions raises the attack surface. Regarding Ransomware, what i´m always thinking about is, how it should get active on a system, which, i assume, is not fully connected to the the internet, where most time no user is logged on, no mails and no other user activity. Finally, what is the real risk that Ransomware gets active on my server?</P> <P>As outlined in the policy object, Development recommends to disable MAP engine on servers.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bildschirmfoto 2020-10-30 um 08.14.21.png" style="width: 198px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/87397i67811D22F031B1DB/image-dimensions/198x133?v=v2" width="198" height="133" role="button" title="Bildschirmfoto 2020-10-30 um 08.14.21.png" alt="Bildschirmfoto 2020-10-30 um 08.14.21.png" /></span></P> <P><BR />You may enable the new <STRONG>Behavioral Protection Engine</STRONG> to close this gap.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Behavioral Protection Engine - schematically view" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/87398iC2F86C9EEAB558E0/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot APDE Engine schematic representation-V3 (1).png" alt="Behavioral Protection Engine - schematically view" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Behavioral Protection Engine - schematically view</span></span></P> <P>Greetings,<BR />Thorsten</P> <P>&nbsp;</P> Fri, 30 Oct 2020 07:19:06 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoints-sql-csv-cluster-store-volumes-issues/m-p/4176264#M5776 Troja007 2020-10-30T07:19:06Z