02-25-2019 03:26 PM - edited 02-20-2020 09:08 PM
Hello, evaluating AMP for Endpoints first configuring policy to Audit, and after that first scan I change computers to group of Protect, check image attached, and my question is, how to apply the actions?? There are files detected that I delete it and still being reported by AMP.
On Requiere Attention I enabled, but it´s been more than 4 days with events In Progress but nothing does. How can I apply actions to take AMP?
Regards,
Juan Carlos Arias
02-25-2019 04:05 PM
Juan,
Those will not automatically be marked as Resolved. When there is an event in the Requires Attention section, you can click the Begin Work button which will move it into the In Progress section. Then, you can click Mark Resolved when you are finished. This is done manually by a user as a way to track tasks, not automatically by anything on AMP's side. I hope that clears things up for you!
Thanks,
Matt
02-26-2019 06:41 AM
Hello Matthew, thanks for your comments, I made the steps you mention, but events remain In Progress tab until you select it and Mark Resolved, is this correct??
But, on events of this Computer, I can see that some events actions like Policy Update, Scan Clean, Scan Started, and I can see one that it says Executed Malware, what are the recommended actions for this event??
Regards,
Juan Carlos Arias
02-26-2019 08:03 AM
Juan,
You are correct that they will remain In Progress until you mark them as Resolved. As for the Malware Executed, there are a number of reasons you may see this, most common being that the policy was in Audit mode. If you would like someone to take a closer look, I recommend opening a TAC case.
Thanks,
Matt
02-26-2019 02:06 PM
Matthew, I´m evaluating the solution so I can´t open a case on TAC yet and my policy is to Protect. What I can see is that you need another software to complement the solution, like an AV or FW, is this correct?? I´m saying this based on the actions that can be made after detecting malware or virus or something else, just trying to understand, thanks.
02-26-2019 02:09 PM
Juan,
If you are in a POV, you can ask your Account Manager to open a case on your behalf with the appropriate logs from the system. With Malware Executed events, what typically takes place is a malicious process attempted to execute and AMP quarantined it. Look for a Quarantine event at the same time for the same file.
Thanks,
Matt
02-26-2019 02:15 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide