Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8200
Views
0
Helpful
4
Replies

AMP for Endpoints and Windows Defender false positives

Go to solution
jack.sankey@mcgill.ca
Level 1
Level 1

‎11-30-2018 09:01 AM - edited ‎02-20-2020 09:07 PM

Hi all,

 

I have a freshly installed windows 10 pro with an AMP for Endpoints connector running in conjunction with Windows Defender. Windows Defender quickly started finding all kinds of "threats" in paths like

 

C:\Program Files\Cisco\AMP\clamav\0.99.2.35\temp\clamtmp\0005718b.tmp
C:\Program Files\Cisco\AMP\clamav\0.99.2.35\temp\clamtmp\clamav-61129689be88cab63e3e69f5866eb3c1.tmp\pdf45

 

I'm presuming that these are virus definitions, and the solution is to add C:\Program Files\Cisco\AMP\clamav to Windows Defender's ignore list.

 

  1. Can someone confirm that this is indeed what is happening and the correct solution?
  2. Defender quarantined about 8 files automatically; will this negatively affect AMP?

Thanks in advance,
Jack

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee

‎11-30-2018 09:05 AM

Jack,

 

You are correct that these are signatures.  Without these, AMP won't be able to perform local file analysis.  If you're going to run Defender and AMP together, please exclude the AMP directories from Defender and Defender directories from AMP.

 

Thanks,

Matt

View solution in original post

0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee
In response to jack.sankey@mcgill.ca

‎11-30-2018 09:09 AM

The connector will check in every hour by default (can be set in the policy) to ensure the signatures are up to date.  At that point, it should download the missing files.

 

-Matt

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee

‎11-30-2018 09:05 AM

Jack,

 

You are correct that these are signatures.  Without these, AMP won't be able to perform local file analysis.  If you're going to run Defender and AMP together, please exclude the AMP directories from Defender and Defender directories from AMP.

 

Thanks,

Matt

0 Helpful

Go to solution
jack.sankey@mcgill.ca
Level 1
Level 1
In response to Matthew Franks

‎11-30-2018 09:07 AM

Thanks! Will the already quarantined files be automatically fixed in AMP?
0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee
In response to jack.sankey@mcgill.ca

‎11-30-2018 09:09 AM

The connector will check in every hour by default (can be set in the policy) to ensure the signatures are up to date.  At that point, it should download the missing files.

 

-Matt

0 Helpful

Go to solution
jack.sankey@mcgill.ca
Level 1
Level 1
In response to Matthew Franks

‎11-30-2018 09:12 AM

Awesome, thanks!
0 Helpful
Customers Also Viewed These Support Documents