Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1813
Views
10
Helpful
2
Replies

Scheduled Scan Outside the Policy

kostasthedelegate
Level 4
Level 4

‎01-10-2020 12:59 AM - edited ‎02-20-2020 09:11 PM

Hello,

 

I have Cisco AMP for Endpoints. It is a new installation. 

I would like to ask if there is an option to create a scheduled scan outside the policy. 

This is driven by the fact that the company's policy needs to scan some servers the first week of the month, some others the second and so on, ...

 

Any tips?

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
2 Replies 2

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-14-2020 06:05 AM

Hi,

 

As you might have already explore, there is no option available to let you schedule the scan outside the policy. One thing you can do is to create different group and policies for those servers to allow you to have separate schedule for the scan for those different servers.

0 Helpful

brmcmaho
Cisco Employee
Cisco Employee
In response to Muhammad Awais Khan

‎01-14-2020 12:09 PM

I would also like to encourage you to help your customer toward a more sensible policy.

Periodic scans are generally not necessary, or even useful, with AMP, because AMP uses continuous monitoring. Every time a file gets touched, AMP checks its disposition according to the most up-to-date information available, so anything known to be malicious should be caught in near real time. (I say "near" because dispositions do get cached for a certain amount of time for performance reasons.)

With classic signature-based detection, every time new signatures are added for new threats, you have to rescan the system in order to ensure that no matching files exist. AMP deals with that scenario using a retrospective event instead.

If a customer's security policy MANDATES periodic scans, they have fallen into the trap of specifying a METHOD, not a desired RESULT. It's the equivalent of requiring three swings of a hammer, no matter whether the object you're working with is a nail, a screw, a lag bolt, or a carabiner.

Customers Also Viewed These Support Documents