cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2677
Views
0
Helpful
5
Replies

AMP for Servers and protection without exploit prevention

tomalexis
Level 1
Level 1

I understand the default setting for AMP4E for servers is without DFC and in audit mode and SP and exploit prevention turned on. 

 

How does that provide protection against buffer overflows etc targeted at the server ? A lot of times servers are exposed over the internet throught firewalls and doesn't this open to attacks ? 

thoughts ? 

Are there cases where it can be turned on ? And can we put it in protect mode ? 

5 Replies 5

Troja007
Cisco Employee
Cisco Employee

Hello @tomalexis,
i already heard about Server installations and deactivating AMP4E components. 

  • Disabling DFC: Yes, if there is high network load on the server. You may also use DFC if there is a server with less network load.
  • Tetra: The engine may need more resources if there are many files which have to be scanned. With the proper settings, you may also use Tetra on the server.
  • Exploit Prevention: From my point of information, there was a problem with the engine in the past. Looks like, there was never a disclaimer for this.

Have heard nothing about the need to disable exPrev Engine on Servers in the last year.

 

Hope this helps,

Greetings, Thorsten

thx Thorsten. 

So my question is the following: 

 

1) if I starting with alpha/beta deployment of server AMP - I will start in audit mode - do I then install DFC /tetra and see performance . AFAIK you have to manually uinstall AMP and then install it again without DFC/tetra to avoid if you detect a problem like high cpu ??

2) exploit prevention etc is disabled by default and even for servers its always set to audit mode - not protect ? can we turn on EP and also protect mode ? main concern from customer is that EP is not enabled and doesn't not make AMP very effective against buffer  flow and other attacks ? thoughts ? 

3) are you seeing customers deploy EP, tetra, DFC, protect mode with servers ? 

4) do other products follow the same principles like AMP4E when it comes to servers ? 

Hello @tomalexis,

sorry for the delay, was on Business Trip until this weekend.

 

1) if I starting with alpha/beta deployment of server AMP - I will start in audit mode - do I then install DFC /tetra and see performance . AFAIK you have to manually uninstall AMP and then install it again without DFC/tetra to avoid if you detect a problem like high cpu ??

Answer: If you use the command /skiptetra the driver will not be installed. Therefore, if you want to activate Tetra at a later time, you have to reinstall the product. High CPU: most time high CPU comes from applications which are generating a high disk load. If you see high CPU even you disable Tetra you may have a driver conflict, which is extremly rare.
Finally, installed components which are disabled using the policy normally do NOT generate and troubles, performance and functionality.

 

2) exploit prevention etc is disabled by default and even for servers its always set to audit mode - not protect ? can we turn on EP and also protect mode ? main concern from customer is that EP is not enabled and doesn't not make AMP very effective against buffer  flow and other attacks ? thoughts ?
Answer: Tested with Customers/Partners where all Features are active without troubles. Audit mode, from my perspective, makes sense only during initi
al testing. Starting in Audit mode so see any problems and activating the feature step-by-step makes sense.

 

3) are you seeing customers deploy EP, tetra, DFC, protect mode with servers ? 

Answer: YES, have seen customers using all protection features from AMP4E on servers.

 

4) do other products follow the same principles like AMP4E when it comes to servers ? 
Answer: Which other products do you mean. In other words, Servers acting different the endpoints, have other software installed and so on... but finally, most time, just another configuration is needed.

Greetings,
Thorsten

 
 

 

 

thx a lot Thursten. I presume you are at the yearly sales conference ? :) how was it ? :)

I have been looking online on the portal and there is no protect for any server policies and the default it says for servers is audit, and I asked someone else, and they suggested to leave it on audit. so the doc is not clear. 

Look at the deployment strategy guide: 

"WARNING!When installing the AMP for Endpoints Connector on a server without TETRA you must also use the /skiptetra command line switch along with this policy setting" and same for DFC. So I am very confused. 

from portal

Recommended Settings
Workstation
Files: Quarantine
Network: Block
Malicious Activity Protection: Quarantine
System Process Protection: Protect
Server
Files: Quarantine
Network: Disabled
Malicious Activity Protection: Disabled
System Process Protection: Disabled

 

So, you are completely sure that we can slowly move to protect and enable SPP, DFC, MAP, SPP after testing in beta ? 

if you were to do a new deployment is the end goal to enable all those features just like endpoints ? 

Hello @tomalexis,

yes, was a great experience. :-)

 

The warning says, if you want to remove Tetra and DFC completely, you have to use the installation switches. So the driver installation is skipped. I know, there might be troubles with DFC on servers with high network activity, so it makes sense to remove the driver as well.

Finally, the goal is to activate all features as possible.

 

Greetings,
Thorsten

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: