Showing results for 
Search instead for 
Did you mean: 

AMP for Endpoints Severity and Confidence

Michael Lane
Level 4
Level 4

At what Severity and Confidence does AMP for endpoints block a file? Or does it only block 100% confidence items?

2 Replies 2

Cisco Employee
Cisco Employee

Hi Michael,

The short answer is - yes, AMP blocks only high confidence malicious files.

The longer answer:

with AMP for Endpoints file blocking mode (other is Audit mode where AMP detects but doesn't block, mostly used during PoVs), files that are marked 'malicious' (file disposition) in the AMP Cloud are going to be blocked. Numerous sophisticated technologies (so-called "engines" that leverage machine learning to identify malware, generic fingerprinting, Advanced File Analysis [Threat Grid], etc), as well as the human factor/Talos, contribute to this Collective intelligence. The product also has an offline AV engine, that can be enabled through a policy to block high confidence known malicious files based on signature matches.

Recent third-party test results that confirm that:

Please keep in mind, that while AMP for Endpoints offers robust file blocking capabilities, it does way more than just that (Exploit Prevention, System Process Protection, Malicious Activity Protection, Generic [Cloud] IOCs, integration with Cognitive Threat Analytics, etc). I'd suggest to review the "AMP for Endpoints - Protection Lattice" section in this paper: AMP for Endpoints - Exploit Prevention

Level 5
Level 5

Michael is right....thanks for answering this