08-19-2019 09:17 AM - edited 02-20-2020 09:10 PM
I understand the default setting for AMP4E for servers is without DFC and in audit mode and SP and exploit prevention turned on.
How does that provide protection against buffer overflows etc targeted at the server ? A lot of times servers are exposed over the internet throught firewalls and doesn't this open to attacks ?
thoughts ?
Are there cases where it can be turned on ? And can we put it in protect mode ?
08-20-2019 07:01 AM
Hello @tomalexis,
i already heard about Server installations and deactivating AMP4E components.
Have heard nothing about the need to disable exPrev Engine on Servers in the last year.
Hope this helps,
Greetings, Thorsten
08-23-2019 10:38 PM
thx Thorsten.
So my question is the following:
1) if I starting with alpha/beta deployment of server AMP - I will start in audit mode - do I then install DFC /tetra and see performance . AFAIK you have to manually uinstall AMP and then install it again without DFC/tetra to avoid if you detect a problem like high cpu ??
2) exploit prevention etc is disabled by default and even for servers its always set to audit mode - not protect ? can we turn on EP and also protect mode ? main concern from customer is that EP is not enabled and doesn't not make AMP very effective against buffer flow and other attacks ? thoughts ?
3) are you seeing customers deploy EP, tetra, DFC, protect mode with servers ?
4) do other products follow the same principles like AMP4E when it comes to servers ?
09-01-2019 10:48 PM
Hello @tomalexis,
sorry for the delay, was on Business Trip until this weekend.
1) if I starting with alpha/beta deployment of server AMP - I will start in audit mode - do I then install DFC /tetra and see performance . AFAIK you have to manually uninstall AMP and then install it again without DFC/tetra to avoid if you detect a problem like high cpu ??
Answer: If you use the command /skiptetra the driver will not be installed. Therefore, if you want to activate Tetra at a later time, you have to reinstall the product. High CPU: most time high CPU comes from applications which are generating a high disk load. If you see high CPU even you disable Tetra you may have a driver conflict, which is extremly rare.
Finally, installed components which are disabled using the policy normally do NOT generate and troubles, performance and functionality.
2) exploit prevention etc is disabled by default and even for servers its always set to audit mode - not protect ? can we turn on EP and also protect mode ? main concern from customer is that EP is not enabled and doesn't not make AMP very effective against buffer flow and other attacks ? thoughts ?
Answer: Tested with Customers/Partners where all Features are active without troubles. Audit mode, from my perspective, makes sense only during initial testing. Starting in Audit mode so see any problems and activating the feature step-by-step makes sense.
3) are you seeing customers deploy EP, tetra, DFC, protect mode with servers ?
Answer: YES, have seen customers using all protection features from AMP4E on servers.
4) do other products follow the same principles like AMP4E when it comes to servers ?
Answer: Which other products do you mean. In other words, Servers acting different the endpoints, have other software installed and so on... but finally, most time, just another configuration is needed.
Greetings,
Thorsten
09-01-2019 11:23 PM
thx a lot Thursten. I presume you are at the yearly sales conference ? :) how was it ? :)
I have been looking online on the portal and there is no protect for any server policies and the default it says for servers is audit, and I asked someone else, and they suggested to leave it on audit. so the doc is not clear.
Look at the deployment strategy guide:
"WARNING!When installing the AMP for Endpoints Connector on a server without TETRA you must also use the /skiptetra command line switch along with this policy setting" and same for DFC. So I am very confused.
from portal
So, you are completely sure that we can slowly move to protect and enable SPP, DFC, MAP, SPP after testing in beta ?
if you were to do a new deployment is the end goal to enable all those features just like endpoints ?
09-02-2019 01:15 AM
Hello @tomalexis,
yes, was a great experience. :-)
The warning says, if you want to remove Tetra and DFC completely, you have to use the installation switches. So the driver installation is skipped. I know, there might be troubles with DFC on servers with high network activity, so it makes sense to remove the driver as well.
Finally, the goal is to activate all features as possible.
Greetings,
Thorsten
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: