Re: AMP4EP Endpoint IOC Scan question.

eblandon · ‎10-31-2017

Hi all;

I have a question in regards the SCAN options , particularly when scanning a computer, if I want to scan a particular computer, I will go and select scan as indicated on the attached screen shot.

The questions here is if the computer where I push the scan task is offline , will the scan task be performed once the computer comes back online, and the task will get started when next heart beat interval is performed by the end point connector?

In addition I would like to know what is the main difference between Scan depth and Scan engine on the attached screen shot.

Thank you.

Enrique.

brmcmaho · ‎10-31-2017

Consider the steps involved in scheduling a scan. First, you set the schedule in the AMP console. Next, the endpoint needs to pick up the new configuration. This happens at the heartbeat interval. If the endpoint is offline, the updated policy will be synced the next time the endpoint checks in with the cloud.

Now that you have the policy applied on the endpoint, the actual execution of the scheduled scan happens on the endpoint, and does not depend on cloud connectivity at that time. Obviously, you can't upload the results of the scan while offline.

Note that older versions of the Windows connector (prior to 4.4.0) use Windows Task Scheduler to control the scheduled scans, and therefore require Windows admin credentials. Newer versions of the connector drive the scheduled scans from the connector itself, and no longer require admin credentials.

"Scan Depth" is documented in the online help under the topic of file policy for the Windows connector, except that it's called Scan Type in the docs. The relevant section says:

Scan Type allows you to set the type of scan. A Flash scan will scan the processes running and the files and registry entries used by those processes. A Full scan will scan the processes running, the registry entries, and all the files on disk. This scan is very resource-intensive and should not be performed on a regular basis. If TETRA is enabled it will perform a Rootkit scan as well.

All of the above relates to "regular" scans, which basically crawl through the system and do AMP lookups on demand or on a schedule. Note that such scans are generally not needed, because AMP has already been doing exactly the same thing based on file I/O activity. The feature exists mainly to accommodate excessively prescriptive compliance regulations (e.g., "you must perform monthly scans of the system" ... whether it makes sense or not). This is what you get when you select the "File" scan engine.

The "Endpoint IOC" scan engine is entirely different, and gets a whole chapter of its own in the AMP docs. Rather than reproduce all of that information here, I will just summarize the purpose of the Endpoint IOC scan engine. It is intended more for on-demand scans looking for highly specific things. For example, someone might be searching for a particular file, string, registry key, log entry, etc. on endpoints in response to a specific third-party threat advisory, or as part of an active incident investigation.

Endpoint IOC scans use the OpenIOC format. Just about anything that can be put into OpenIOC can be the target of a scheduled Endpoint IOC scan. Note that an Endpoint IOC scan using the Full search type will be especially resource intensive on the endpoints, so this should be used with caution.