cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2510
Views
0
Helpful
11
Replies

AMP for Endpoint auto scan

I have been working on AMP for network and Endpoints, at start I faced a lot of issues with servers which i gradually resolved with addition of exclusions but for the last few days I dont know how and why AMP connector starts scanning the endpoint and effects performance of the machine.
can anyone help me on this please.

Looking forward.

11 REPLIES
Dv Cisco Employee
Cisco Employee

What kind of scan it is?

What kind of scan it is? Automatic scan you've configured in policy? if yes, is it full or flash or custom scan? When you say it affects the performance, you mean CPU or Disk activity goes high? It crashes the system?

Verify the scheduled scan by editing the policy: File > Scheduled Scans

A Full scan will scan the processes running, the registry entries, and all the files on disk. This scan is very resource-intensive and should not be performed on a regular basis. So avoid full scan every time.

There is another scan by policy, verify if you've this configured:

https://console.amp.cisco.com/help/en/wwhelp/wwhimpl/js/html/wwhelp.htm 

If you open up a TAC case with diagnostic file attached, that would be great.

well the memory gives spikes.

well the memory gives spikes...can i check what are the files and paths etc that are currently being checked by AMP, I mean those files folders that will not be a part of exclusions.
are these all running services, if yes then do we have to exclude all these running services, if yes then it is weird.

Cisco Employee

Hello Zaheer,

Hello Zaheer,

If you are seeing the memory spikes, then we need the diagnostics file . if its a version 5.1 , then you wont be be able to get the file counts and path which is continoulsy scanned by AMP by using the sqlite queries. if the version is below 5.1 then you can use the following article to run the sql query and get the list of files that are scanned.

http://www.cisco.com/c/en/us/support/docs/security/advanced-malware-protection-endpoints/118802-technote-fireamp-00.html

if you are using the version above 5 or 5.1 , then please open a TAC case and get the diagnostics in DEBUG mode so that team can help you in the fine tuning. 

Rate if this answer helps.

Regards

Jetsy 

Hi Jetsy,

Hi Jetsy,

Putting it in debug mode will not further effect the system?

Cisco Employee

Hello Zaheer,

Hello Zaheer,

Just enable the DEBUG and let it run for 15-20 minutes and generate the diagnostics file.

Enabling the DEBUG wont affect the system.

Regards

Jetsy 

This debug must go to Cisco

This debug must go to Cisco or is the debug something like routers/switches and Firewalls which we can also have a look at or is there any special tool used for this by cisco.

Cisco Employee

Hello Zaheer,

Hello Zaheer,

refer the following link and you can obtain the diag file.

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118228-technote-fireamp-00.html

Let me know if you have any questions.

Also you can open a case with TAC by adding this diag file.

Regards

Jetsy 

Thanks to all, I have fixed

Thanks to all, I have fixed the issue but checking the running services on the endpoints and excluding the necessary ones, the issue was due to a microsoft patch..

Cisco Employee

Hello Zaheer,

Hello Zaheer,

Its always important to identify your environment and exclude the necessary process based on the requirements.

This will improve the performance very well.

Here is the exclusion guide for your quick reference.

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html

Glad that you could resolve the issue.

Regards

Jetsy 

Beginner

Re: What kind of scan it is?

Hi All,

 

Is it possible to stop a scheduled scan from the console. we have an automated scan scheduled and we are having issues on the servers . Is there any option to kill it from the console.

Highlighted
Beginner

Re: What kind of scan it is?

Can you pls explain me how this AMP works. I have 36 required attentions in my inbox status. 

 

How can I get rid of this 36 attentions

CreatePlease to create content
This widget could not be displayed.
Ask the Expert- DMVPN on Cisco routers