cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3013
Views
5
Helpful
4
Replies
ChiefSec-SF
Beginner

AMP for EP on Servers - Skip DFC

When installing on servers it is recommended to use the /skipdfc switch. I am looking for a way to validate that this switch was or was not used on a specific server. There should be a way to verify that the DFC drive is not installed, but I haven't been able to find it yet.

(example case: AMP was deployed to a server, 3rd party app on server starts misbehaving. Would be nice to be able to eliminate DFC as a potential cause without resorting to uninstall/reinstall of AMP)

1 ACCEPTED SOLUTION

Accepted Solutions
Veronika Klauzova
Cisco Employee

Hello,

you can list all available drivers on Windows server using CMD command:

driverquery

Then you can parse output in notepad or directly in CLI and look for keyword Imm that is part of name for AMP drivers:

driverquery | findstr Imm

If ImmunetNetworkMonitorD is displayed in the above output that means that DFC driver is installed.

Enjoy,

Veronika

View solution in original post

4 REPLIES 4
David Janulik
Cisco Employee

Hi,

You need to assign that computer to the group with the same policy e.g. Server policy

Pretty good visibility gives you the server policy, see Network tab - DFC which is unticked (turned off).

Hope this helps

David

Cyber security escalation engineer

David, disabling DFC feature in Policy is not enough as that would mean that feature is not used, but driver itself can be still installed.

--

Veronika

Veronika Klauzova
Cisco Employee

Hello,

you can list all available drivers on Windows server using CMD command:

driverquery

Then you can parse output in notepad or directly in CLI and look for keyword Imm that is part of name for AMP drivers:

driverquery | findstr Imm

If ImmunetNetworkMonitorD is displayed in the above output that means that DFC driver is installed.

Enjoy,

Veronika

View solution in original post

ChiefSec-SF
Beginner

Thanks Veronika, I also confirmed that this command works as well:

sc query immunetnetworkmonitordriver

Content for Community-Ad