10-26-2020 08:53 AM
We are having issues with AMP for Endpoints installed on Windows Server 2012 R2 servers with SQL clustering.
it appears the cluster volume store is not accessible by the cluster if AMP is installed. We have not implemented any exclusions other than the CISCO maintained exclusions at this point. Does anyone have any recommendations for solving this issue?
Solved! Go to Solution.
10-26-2020 10:00 AM
I believe we were able to resolve this by creating a new policy for just those servers and disabling the Malicious Acitivity Protection option.
10-26-2020 10:00 AM
I believe we were able to resolve this by creating a new policy for just those servers and disabling the Malicious Acitivity Protection option.
10-29-2020 08:05 AM
Thank you. We checked with Cisco and indeed disabling MAP (not placing in audit, but disabling) worked and in fact MAP is not recommended by Cisco for server deployments.
10-29-2020 12:07 PM
Hello @Davedog,
glad to here you solved your problem. BTW, for servers with high network activity you may install the endpoint with the /skipdfc 1 option. This skips the installation of the network drivers.
In addition, to figure out what is going on with the endpoint, you can use the following tools.
Greetings,
Thorsten
10-29-2020 12:48 PM
This isn't really a solution though. It works but disabling MAP leaves you vulnerable to ransonware. Its the only thing that has worked from what I have seen. We install the client on servers with the /skipdfc 1 switch and Device Network Flow correlation is not enabled on the policy. Thorsten, since you are a Cisco employee do you know or have seen in the knowledge base any other way to make this work without disabling MAP. Its more of a workaround not really a solution.
10-30-2020 12:19 AM
Hello @techytuesday,
true, disabling an engine or having multiple exclusions raises the attack surface. Regarding Ransomware, what i´m always thinking about is, how it should get active on a system, which, i assume, is not fully connected to the the internet, where most time no user is logged on, no mails and no other user activity. Finally, what is the real risk that Ransomware gets active on my server?
As outlined in the policy object, Development recommends to disable MAP engine on servers.
You may enable the new Behavioral Protection Engine to close this gap.
Greetings,
Thorsten
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide