Solved: AMP for EP on Servers - Skip DFC

ChiefSec-SF · ‎05-22-2017

When installing on servers it is recommended to use the /skipdfc switch. I am looking for a way to validate that this switch was or was not used on a specific server. There should be a way to verify that the DFC drive is not installed, but I haven't been able to find it yet.

(example case: AMP was deployed to a server, 3rd party app on server starts misbehaving. Would be nice to be able to eliminate DFC as a potential cause without resorting to uninstall/reinstall of AMP)

Veronika Klauzova · ‎05-23-2017

Hello,

you can list all available drivers on Windows server using CMD command:

driverquery

Then you can parse output in notepad or directly in CLI and look for keyword Imm that is part of name for AMP drivers:

driverquery | findstr Imm

If ImmunetNetworkMonitorD is displayed in the above output that means that DFC driver is installed.

Enjoy,

Veronika

View solution in original post

David Janulik · ‎05-23-2017

Hi,

You need to assign that computer to the group with the same policy e.g. Server policy

Pretty good visibility gives you the server policy, see Network tab - DFC which is unticked (turned off).

Hope this helps

David

Cyber security escalation engineer

Veronika Klauzova · ‎05-23-2017

David, disabling DFC feature in Policy is not enough as that would mean that feature is not used, but driver itself can be still installed.

--

Veronika

Veronika Klauzova · ‎05-23-2017

Hello,

you can list all available drivers on Windows server using CMD command:

driverquery

Then you can parse output in notepad or directly in CLI and look for keyword Imm that is part of name for AMP drivers:

driverquery | findstr Imm

If ImmunetNetworkMonitorD is displayed in the above output that means that DFC driver is installed.

Enjoy,

Veronika

ChiefSec-SF · ‎05-23-2017

Thanks Veronika, I also confirmed that this command works as well:

sc query immunetnetworkmonitordriver