07-05-2017 01:27 PM - edited 02-20-2020 09:04 PM
I have been working on AMP for network and Endpoints, at start I faced a lot of issues with servers which i gradually resolved with addition of exclusions but for the last few days I dont know how and why AMP connector starts scanning the endpoint and effects performance of the machine.
can anyone help me on this please.
Looking forward.
07-05-2017 02:11 PM
What kind of scan it is? Automatic scan you've configured in policy? if yes, is it full or flash or custom scan? When you say it affects the performance, you mean CPU or Disk activity goes high? It crashes the system?
Verify the scheduled scan by editing the policy: File > Scheduled Scans
A Full scan will scan the processes running, the registry entries, and all the files on disk. This scan is very resource-intensive and should not be performed on a regular basis. So avoid full scan every time.
There is another scan by policy, verify if you've this configured:
https://console.amp.cisco.com/help/en/wwhelp/wwhimpl/js/html/wwhelp.htm
If you open up a TAC case with diagnostic file attached, that would be great.
07-09-2017 04:08 AM
well the memory gives spikes...can i check what are the files and paths etc that are currently being checked by AMP, I mean those files folders that will not be a part of exclusions.
are these all running services, if yes then do we have to exclude all these running services, if yes then it is weird.
07-09-2017 04:21 AM
Hello Zaheer,
If you are seeing the memory spikes, then we need the diagnostics file . if its a version 5.1 , then you wont be be able to get the file counts and path which is continoulsy scanned by AMP by using the sqlite queries. if the version is below 5.1 then you can use the following article to run the sql query and get the list of files that are scanned.
http://www.cisco.com/c/en/us/support/docs/security/advanced-malware-protection-endpoints/118802-technote-fireamp-00.html
if you are using the version above 5 or 5.1 , then please open a TAC case and get the diagnostics in DEBUG mode so that team can help you in the fine tuning.
Rate if this answer helps.
Regards
Jetsy
07-09-2017 04:30 AM
Hi Jetsy,
Putting it in debug mode will not further effect the system?
07-09-2017 07:49 AM
Hello Zaheer,
Just enable the DEBUG and let it run for 15-20 minutes and generate the diagnostics file.
Enabling the DEBUG wont affect the system.
Regards
Jetsy
07-09-2017 10:23 PM
This debug must go to Cisco or is the debug something like routers/switches and Firewalls which we can also have a look at or is there any special tool used for this by cisco.
07-10-2017 05:00 AM
Hello Zaheer,
refer the following link and you can obtain the diag file.
http://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118228-technote-fireamp-00.html
Let me know if you have any questions.
Also you can open a case with TAC by adding this diag file.
Regards
Jetsy
07-18-2017 10:08 PM
Thanks to all, I have fixed the issue but checking the running services on the endpoints and excluding the necessary ones, the issue was due to a microsoft patch..
07-20-2017 06:18 AM
Hello Zaheer,
Its always important to identify your environment and exclude the necessary process based on the requirements.
This will improve the performance very well.
Here is the exclusion guide for your quick reference.
http://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html
Glad that you could resolve the issue.
Regards
Jetsy
01-20-2018 11:51 AM
Hi All,
Is it possible to stop a scheduled scan from the console. we have an automated scan scheduled and we are having issues on the servers . Is there any option to kill it from the console.
12-06-2018 12:55 PM
Can you pls explain me how this AMP works. I have 36 required attentions in my inbox status.
How can I get rid of this 36 attentions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide