05-31-2018 12:38 PM - edited 02-20-2020 09:05 PM
At what Severity and Confidence does AMP for endpoints block a file? Or does it only block 100% confidence items?
05-31-2018 03:13 PM
Hi Michael,
The short answer is - yes, AMP blocks only high confidence malicious files.
The longer answer:
with AMP for Endpoints file blocking mode (other is Audit mode where AMP detects but doesn't block, mostly used during PoVs), files that are marked 'malicious' (file disposition) in the AMP Cloud are going to be blocked. Numerous sophisticated technologies (so-called "engines" that leverage machine learning to identify malware, generic fingerprinting, Advanced File Analysis [Threat Grid], etc), as well as the human factor/Talos, contribute to this Collective intelligence. The product also has an offline AV engine, that can be enabled through a policy to block high confidence known malicious files based on signature matches.
Recent third-party test results that confirm that: https://blogs.cisco.com/security/nss-labs-awards-recommended-rating-to-cisco-endpoint-security
Please keep in mind, that while AMP for Endpoints offers robust file blocking capabilities, it does way more than just that (Exploit Prevention, System Process Protection, Malicious Activity Protection, Generic [Cloud] IOCs, integration with Cognitive Threat Analytics, etc). I'd suggest to review the "AMP for Endpoints - Protection Lattice" section in this paper: AMP for Endpoints - Exploit Prevention
07-05-2018 04:53 AM
Michael is right....thanks for answering this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide