FireAMP for Endpoint: Windows Virus/Spyware Protection Notification

tgrundbacher · ‎03-08-2016

I've recently installed FireAMP with TETRA on Windows 7 and 10 and have deinstalled/deactivated any onther security product, including the built-in Windows Defender (which will, annoyingly, automatically turn itself back on after some time).

Shouldn't FireAMP be a "registered/well-known" antivirus/antimalware product that Windows will accept as an alternative to Defender, Security Essentials or any other A/V product? Is there a best practice about how to remove Windows Security Center alert messages on all the endpoints I'm going to install FireAMP on as the only security solution? Or is it best practice to let Defender run in parallel to FireAMP (with or without TETRA)?

tgrundbacher · ‎04-15-2016

Meanwhile, I've found additional info on that topic in the official FireAMP training guide. It states:

"TETRA is a traditional AV detection engine that does not rely on the cloud to perform any of its detection functions. The primary benefit of Tetra is to give the FireAMP connector offline AV detection capability.

An important consideration regarding deployment of the Tetra engine is whether or not you have used FireAMP to augment an existing AV solution. If the endpoint has AV software installed from another vendor, there is no need to deploy Tetra. In fact, the best practice is to avoid using Tetra if possible. It adds unnecessary overhead in the case of an augmentation deployment and will not add any additional value to a deployment that has full-time network connectivity since, in this case, the cloud will handle the detection."

Also, a TAC engineer responded with the following statement:

"FireAMP cannot be compared to a full fledged anti-virus solution. It does have anti-malware and virus capability and can be run simultaneously with any other security product including defender.
So I would suggest to exclude the FireAMP from defender or any other security product you might be running."

So according to my perception, Cisco doesn't promote using FireAMP as a sole, complete Antivirus/Antimalware product, since on one hand, they're recommending "augmented" installations and on the other hand, FireAMP is not being recognized by Windows as a trusted security product.

As in many companies it's going to be hard to justify the cost for two antivirus/antimalware products running on every endpoint, I guess I'll follow the following approach:

Windows 10: Leave Defender turned on with its default settings and switch off TETRA. No need to install any other A/V product.
Windows 7: Leave any classic A/V solution installed and deploy FireAMP without TETRA. If you don't want to spend money on a classic A/V license, install Security Essentials.

It would definitely be easier if Cisco made FireAMP a trusted security product in Windows.

Jamm1n2780 · ‎11-07-2016

tgrundbacker,

How has this been working out for you? We have been thinking about rolling it out that way with our company.

tgrundbacher · ‎12-11-2016

Hey Jamm1n2780

There's no general answer as every customer has different preferences, requirements and a a different installed base. I'd propose at the license refresh cycle of your traditional A/V at the latest, it's time to reconsider if you still really need your traditional A/V product - and I'd assume you won't. If you don't have any yet, well, then AMP for Endpoints is most likely all you need.

The following blog will help you with your decision:

http://blogs.cisco.com/security/endpoint-protection-platform-epp-vs-endpoint-detection-response-edr

Hope that helps - I personally would still stick to my recommendation from the previous post ;)

Toni

Farhan Mohamed · ‎01-31-2017

TETRA is a traditional AV detection engine that does not rely on the cloud to perform any of its detection functions. The primary benefit of Tetra is to give the FireAMP connector offline AV detection capability.

An important consideration regarding deployment of the Tetra engine is whether or not you have used FireAMP to augment an existing AV solution. If the endpoint has AV software installed from another vendor, there is no need to deploy Tetra

"FireAMP cannot be compared to a full fledged anti-virus solution. It does have anti-malware and virus capability and can be run simultaneously with any other security product including defender.
So I would suggest to exclude the FireAMP from defender or any other security product you might be running."

So according to my perception, Cisco doesn't promote using FireAMP as a sole, complete Antivirus/Antimalware product, since on one hand, they're recommending "augmented" installations and on the other hand, FireAMP is not being recognized by Windows as a trusted security product.

Windows 10: Leave Defender turned on with its default settings and switch off TETRA. No need to install any other A/V product.

Windows 7: Leave any classic A/V solution installed and deploy FireAMP without TETRA. If you don't want to spend money on a classic A/V license, install Security Essentials.

It would definitely be easier if Cisco made FireAMP a trusted security product in Windows.

youjdi · ‎10-09-2018

Just an update here - I recently enabled TETRA on my Windows 10 machines and it seems to be recognised by Microsoft as Windows defender got turned off stating another 3rd party program has taken over.

My only concern now is how effect TETRA is as a traditional AV and whether it can truly full fill this role.