Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2634
Views
0
Helpful
1
Replies

Best practice on Exclusions

EnverSingh7603
Level 1
Level 1

‎08-06-2019 08:01 PM - edited ‎02-20-2020 09:10 PM

Hi,

 

Sorry if this has been asked previously. 

 

If you are commencing with a new deployment of AMP on servers, which is the best way to start developing your exclusions? 

I know there is a Cisco Maintained Exclusion set for Windows, but further to this what would be the best practice?

 

Is there a way to run a tool/script that audits potential files and processes to be considered for exclusions? 

 

Thanks. 

 

Labels:
0 Helpful
1 Reply 1

Troja007
Cisco Employee
Cisco Employee

‎08-07-2019 12:27 AM

Hello @EnverSingh7603,

yes, you can/should use the Cisco Maintained exclusions. There are some points of view when installing AMP on a Server System.

  • Network monitoring: If the server provides services with high network activity, you should not install the DFC (network monitoring) component. You can, but there can be troubles. So test it.
  • Use the right exclusions.
  • The Tray icon can only connect once to the sfc.exe process from AMP. So, if there are multiple logged on users, you should disable the Tray icon in the policy.
  • Troubleshooting and determining the necessary exclusions.
    • Exclude Applications with high disk activity.
    • Exclude Application which are generating executable code. Take an eagle eye on development systems. ;-)
    • you can enable Debug Logging and generating a diagnostic file. The diagnostic file can be checked with a tool, which you can download from Github: https://github.com/CiscoSecurity/amp-05-windows-tune 
  • Here is a cool explanation from Luis Velazquez generating a Report as well.
    https://community.cisco.com/t5/advanced-threats/cisco-amp-100-usage-of-cpu/td-p/3877304

Hope this helps,

Greetings,

Thorsten

0 Helpful
Customers Also Viewed These Support Documents