I have been working on AMP for network and Endpoints, at start I faced a lot of issues with servers which i gradually resolved with addition of exclusions but for the last few days I dont know how and why AMP connector starts scanning the endpoint and effects performance of the machine.
can anyone help me on this please.
What kind of scan it is? Automatic scan you've configured in policy? if yes, is it full or flash or custom scan? When you say it affects the performance, you mean CPU or Disk activity goes high? It crashes the system?
Verify the scheduled scan by editing the policy: File > Scheduled Scans
A Full scan will scan the processes running, the registry entries, and all the files on disk. This scan is very resource-intensive and should not be performed on a regular basis. So avoid full scan every time.
There is another scan by policy, verify if you've this configured:
If you open up a TAC case with diagnostic file attached, that would be great.
well the memory gives spikes...can i check what are the files and paths etc that are currently being checked by AMP, I mean those files folders that will not be a part of exclusions.
are these all running services, if yes then do we have to exclude all these running services, if yes then it is weird.
If you are seeing the memory spikes, then we need the diagnostics file . if its a version 5.1 , then you wont be be able to get the file counts and path which is continoulsy scanned by AMP by using the sqlite queries. if the version is below 5.1 then you can use the following article to run the sql query and get the list of files that are scanned.
if you are using the version above 5 or 5.1 , then please open a TAC case and get the diagnostics in DEBUG mode so that team can help you in the fine tuning.
Rate if this answer helps.
Just enable the DEBUG and let it run for 15-20 minutes and generate the diagnostics file.
Enabling the DEBUG wont affect the system.
This debug must go to Cisco or is the debug something like routers/switches and Firewalls which we can also have a look at or is there any special tool used for this by cisco.
refer the following link and you can obtain the diag file.
Let me know if you have any questions.
Also you can open a case with TAC by adding this diag file.
Thanks to all, I have fixed the issue but checking the running services on the endpoints and excluding the necessary ones, the issue was due to a microsoft patch..
Its always important to identify your environment and exclude the necessary process based on the requirements.
This will improve the performance very well.
Here is the exclusion guide for your quick reference.
Glad that you could resolve the issue.
Is it possible to stop a scheduled scan from the console. we have an automated scan scheduled and we are having issues on the servers . Is there any option to kill it from the console.