topic Re: Cisco AMP for Endpoints versus Cisco Malware Analytics in Endpoint Security

Cisco AMP for Endpoints versus Cisco Malware Analytics

Mitrixsen — Thu, 17 Jul 2025 08:13:54 GMT

Hello, everyone.

I am studying security for my ENCOR exam and I have a question regarding the Cisco AMP4E (or secure endpoint) and Cisco Malware Analytics (or Threat Grid) appliances. My book defines Malware Analytics as following:

"Cisco Secure Malware Analytics, formerly Threat Grid, is a solution that can perform
static file analysis (for example, checking filenames, MD5 checksums, file types, and so on)
as well as dynamic file analysis (also known as behavioral analysis) by running the files in a
controlled and monitored sandbox environment to observe and analyze the behavior against
millions of samples and billions of malware artifacts to determine whether it is malware or
not. Behavioral analysis is combined with threat intelligence feeds from Talos as well as with
existing security technologies to protect against known and unknown attacks.

I am wondering, how is Malware Analytics different from AMP? From what I understand about AMP, it's a service that runs in the cloud (or in network devices) that collects information from endpoints that also run the AMP software. For example, if a file is downloaded, it's sent to the AMP cloud where it's checked for its reputation, malware, and so on. If it's not sure, it can also run the file in a sandbox to determine it's behaviour. In the case of AMP for endpoints, the goal is to keep the endpoint safe from any malicious files.

Maybe I am just confusing these two, so could someone please provide me with some clear distinction, or possibly explain what I got wrong about these two?

Thank you.
David

Re: Cisco AMP for Endpoints versus Cisco Malware Analytics

M02@rt37 — Thu, 17 Jul 2025 08:48:49 GMT

Hello @Mitrixsen

Cisco Secure Endpoint is an endpoint protection solution that monitor files and activity on devices in real time, using cloud based threat inteligence from Talos to detect/block threats. When it encounters a suspicious file it can’t fully assess, so it forwards it to Cisco Secure malware naalytic (formerly Threat Grid), which is a separate sandboxing platform that perform deep analysis but in a controled environment.

https://www.cisco.com/c/en/us/products/collateral/security/fireamp-endpoints/datasheet-c78-733181.html

https://www.cisco.com/site/us/en/products/security/security-analytics/malware-analytics/index.html

Re: Cisco AMP for Endpoints versus Cisco Malware Analytics

Roman Valenta — Thu, 17 Jul 2025 13:01:30 GMT

Another thing to remember is tricky question when it comes to these two solutions. In integrations such as ESA and WSA these two will be referenced as:

File Reputation Server --- > Secure Endpoint either Cloud or Private Appliance (virtual or physical)

File Analysis Server --- > Secure Malware Analytic aka Threat Grid aka SandBox to detonate malicious files again either Cloud or Private (physical only)