https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4518814#M6549 <P>My organization has Cisco Amp for endpoint protection. The question we have is whether Amp scans for rootkits? We are also seeing a very high number of executable files show up as potential threats. Does Amp flag all ".exe" files as threats? Excel spreadsheets and system files are also showing up as potential threats. Does Amp flag all .xlsx files and system files as potential threats as well?</P> Tue, 14 Dec 2021 17:25:03 GMT kristina.robinson 2021-12-14T17:25:03Z https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4518814#M6549 <P>My organization has Cisco Amp for endpoint protection. The question we have is whether Amp scans for rootkits? We are also seeing a very high number of executable files show up as potential threats. Does Amp flag all ".exe" files as threats? Excel spreadsheets and system files are also showing up as potential threats. Does Amp flag all .xlsx files and system files as potential threats as well?</P> Tue, 14 Dec 2021 17:25:03 GMT https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4518814#M6549 kristina.robinson 2021-12-14T17:25:03Z https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4518849#M6550 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1288893">@kristina.robinson</a>&nbsp;,<BR />so let me try to answer your questions step-by-step</P> <UL> <LI><STRONG>Rootkit Scan:</STRONG> Yes we do. There is an own OnDemand Scan available on the endpoint. Thought this has been already fixed in the console.</LI> <LI><STRONG>Potential Threats:</STRONG> What type of Events are shown exactly? And no, Secure Endpoint does not flag all .exe files as threats. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />All Engines also include "guardrails" to prevent False/Positves.&nbsp;</LI> <LI><STRONG>File Scanning:</STRONG> The graphics below shows how Secure Endpoint protects against threats. For File Scanning the endpoint does several steps to detect malicious files. The Device Trajectory shows more information which engines processed a file and which engine triggered a detection. There are some aspects which have an impact on the detection. This can be the cache or configured exclusions.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TME-SecureEndpoint-Engines Behavioral v2.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/139484i453057C5AA4F0C67/image-size/large?v=v2&amp;px=999" role="button" title="TME-SecureEndpoint-Engines Behavioral v2.png" alt="TME-SecureEndpoint-Engines Behavioral v2.png" /></span></LI> </UL> <P>So finally, Secure Endpoint does not mark executable code or office documents as threats. Especially system files, as we use the guardrails to prevent the system from false/positives. I would suggest to open a TAC case so someone takes a deeper look into your environment. Based on your description I cannot provide any reliable statement what is going on on your endpoint.</P> <P>Greetings,<BR />Thorsten&nbsp;</P> Tue, 14 Dec 2021 18:15:31 GMT https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4518849#M6550 Troja007 2021-12-14T18:15:31Z https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4518900#M6552 <P>Hi!</P><P>So are you saying that when I run full scans in Amp, it is automatically checking for rootkits as well or is there a separate scan to run for rootkits?</P> Tue, 14 Dec 2021 19:18:16 GMT https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4518900#M6552 kristina.robinson 2021-12-14T19:18:16Z https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4519164#M6553 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1288893">@kristina.robinson</a>&nbsp;,<BR />looks like there is an issue in the Console UI. So you can start a Rootkit scan on the endpoint, but not remotely from the console. You may check with TAC to get this solved.<BR />Greetings,<BR />Thorsten</P> Wed, 15 Dec 2021 08:18:22 GMT https://community.cisco.com/t5/endpoint-security/does-cisco-amp-scan-for-rootkits/m-p/4519164#M6553 Troja007 2021-12-15T08:18:22Z