We are having issues with AMP for Endpoints installed on Windows Server 2012 R2 servers with SQL clustering.
it appears the cluster volume store is not accessible by the cluster if AMP is installed. We have not implemented any exclusions other than the CISCO maintained exclusions at this point. Does anyone have any recommendations for solving this issue?
Solved! Go to Solution.
Thank you. We checked with Cisco and indeed disabling MAP (not placing in audit, but disabling) worked and in fact MAP is not recommended by Cisco for server deployments.
glad to here you solved your problem. BTW, for servers with high network activity you may install the endpoint with the /skipdfc 1 option. This skips the installation of the network drivers.
In addition, to figure out what is going on with the endpoint, you can use the following tools.
This isn't really a solution though. It works but disabling MAP leaves you vulnerable to ransonware. Its the only thing that has worked from what I have seen. We install the client on servers with the /skipdfc 1 switch and Device Network Flow correlation is not enabled on the policy. Thorsten, since you are a Cisco employee do you know or have seen in the knowledge base any other way to make this work without disabling MAP. Its more of a workaround not really a solution.
true, disabling an engine or having multiple exclusions raises the attack surface. Regarding Ransomware, what i´m always thinking about is, how it should get active on a system, which, i assume, is not fully connected to the the internet, where most time no user is logged on, no mails and no other user activity. Finally, what is the real risk that Ransomware gets active on my server?
As outlined in the policy object, Development recommends to disable MAP engine on servers.
You may enable the new Behavioral Protection Engine to close this gap.