cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7542
Views
30
Helpful
9
Replies

Cisco AMP API - Initiate Scan?

gbam
Level 1
Level 1

Is there a way to initiate an endpoint scan with Cisco AMP from the API?

 

9 Replies 9

Matthew Franks
Cisco Employee
Cisco Employee

There is currently no way to initiate a scan via the API.  Please have your Account Manager put in/add you to a Feature Request for that functionality.

 

Thanks,

Matt

That's embarrassing considering every other endpoint vendor has it.

brmcmaho
Cisco Employee
Cisco Employee

Well, it gets quite a bit less embarrassing when you consider that a triggered scan, after the initial install, is basically not necessary with AMP.  Because we're continually monitoring the activity on the endpoint, anything bad should get picked up. Stuff that initially passed muster and later is identified as malicious is handled by AMP's retrospection feature.

 

AMP does an initial scan at install time (by default) to pick up anything that was already lurking on the endpoint prior to AMP installation.  Once you've done that the first time, there is very little benefit in continually re-scanning clean files over and over.  All it really does is chew up system resources.

 

For customers who need to scan because of overly-restrictively-written policy requirements, scans can be scheduled via the admin console.  But we pretty much never recommend doing so unless you absolutely have to.

 

What's the scenario you have in mind for API-initiated scans?

A good example could be in case of a quarantaine failed. The malware was seen but not catch what ever the reason is, so running a full scan will let us know that the endpoint is clean

I completely agree with Orlith. We've had numerous cases of failed quarantines and we must use a follow-up scan to determine what our next steps will be-- If the threat is removed on the follow-up scan, we are good to go. If not, and we can't manually remove the threat either, then it's time to re-image the machine.

We are moving to a SOAR based approach and having the ability to initiate a scan via API would help in multiple ways-

1.  Reduce the manual workload for our Service Desk Team.

2.  Speed up our MTTR when it comes to endpoint infections/threats.

I agree with Orlith as well, I can tell you definitively that the install scan misses things that should have been caught if it were truly doing a full system scan. Things got picked up and quarantined on endpoints after scheduling a full system scan (they were false positives though) that should have also triggered on the install scan if the install scan was truly scanning the entire endpoint.

 

Triaging things needs the ability to force a manual scan instead of having to use a separate policy and set the scheduled scan settings on the separate policy. That's too cumbersome when you are trying to investigate something immediately due to alerts from other security products.

DFIRSTResponder
Level 1
Level 1

Is this still not a feature 3/4 Years Later?? And why do they go from V0/V1 to V3? What happened to V2?

As far as V0/V1 and now V3. There were some internal things that were used for automation testing that are called v2. 

 

Any plans of adding this "scan computer" feature to the API?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: