cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1686
Views
0
Helpful
5
Replies
Davedog
Beginner

AMP for Endpoints -SQL CSV (cluster store volumes) issues

We are having issues with AMP for Endpoints installed on Windows Server 2012 R2  servers with SQL clustering.

it appears the cluster volume store is not accessible by the cluster if AMP is installed.  We have not implemented any exclusions other than the CISCO maintained exclusions at this point.   Does anyone have any recommendations for solving this issue?

1 ACCEPTED SOLUTION

Accepted Solutions
techytuesday
Beginner

I believe we were able to resolve this by creating a new policy for just those servers and disabling the Malicious Acitivity Protection option.

View solution in original post

5 REPLIES 5
techytuesday
Beginner

I believe we were able to resolve this by creating a new policy for just those servers and disabling the Malicious Acitivity Protection option.

View solution in original post

Thank you. We checked with Cisco and indeed disabling MAP (not placing in audit, but disabling) worked and in fact MAP is not recommended by Cisco for server deployments.

Troja007
Cisco Employee

Hello @Davedog,
glad to here you solved your problem. BTW, for servers with high network activity you may install the endpoint with the /skipdfc 1 option. This skips the installation of the network drivers.

In addition, to figure out what is going on with the endpoint, you can use the following tools.

Greetings,
Thorsten

This isn't really a solution though. It works but disabling MAP leaves you vulnerable to ransonware.  Its the only thing that has worked from what I have seen.  We install the client on servers with the /skipdfc 1 switch and Device Network Flow correlation is not enabled on the policy.  Thorsten, since you are a Cisco employee do you know or have seen in the knowledge base any other way to make this work without disabling MAP.  Its more of a workaround not really a solution.

Hello @techytuesday,
true, disabling an engine or having multiple exclusions raises the attack surface. Regarding Ransomware, what i´m always thinking about is, how it should get active on a system, which, i assume, is not fully connected to the the internet, where most time no user is logged on, no mails and no other user activity. Finally, what is the real risk that Ransomware gets active on my server?

As outlined in the policy object, Development recommends to disable MAP engine on servers.
Bildschirmfoto 2020-10-30 um 08.14.21.png


You may enable the new Behavioral Protection Engine to close this gap.
Behavioral Protection Engine - schematically viewBehavioral Protection Engine - schematically view

Greetings,
Thorsten