Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3634
Views
0
Helpful
6
Replies

AMP -

Juan Carlos Arias Perez
Level 4
Level 4

‎02-25-2019 03:26 PM - edited ‎02-20-2020 09:08 PM

Hello, evaluating AMP for Endpoints first configuring policy to Audit, and after that first scan I change computers to group of Protect, check image attached, and my question is, how to apply the actions??  There are files detected that I delete it and still being reported by AMP.

 

On Requiere Attention I enabled, but it´s been more than 4 days with events In Progress but nothing does.  How can I apply actions to take AMP?

 

Regards,

Juan Carlos Arias

 

 

 

Labels:
Preview file
10 KB
0 Helpful
6 Replies 6

Matthew Franks
Cisco Employee
Cisco Employee

‎02-25-2019 04:05 PM

Juan,

 

Those will not automatically be marked as Resolved.  When there is an event in the Requires Attention section, you can click the Begin Work button which will move it into the In Progress section.  Then, you can click Mark Resolved when you are finished.  This is done manually by a user as a way to track tasks, not automatically by anything on AMP's side.  I hope that clears things up for you!

 

Thanks,

Matt

0 Helpful

Juan Carlos Arias Perez
Level 4
Level 4
In response to Matthew Franks

‎02-26-2019 06:41 AM

Hello Matthew, thanks for your comments, I made the steps you mention, but events remain In Progress tab until you select it and Mark Resolved, is this correct??

 

But, on events of this Computer, I can see that some events actions like Policy Update, Scan Clean, Scan Started, and I can see one that it says Executed Malware, what are the recommended actions for this event??

 

AMP2.jpg

 

Regards,

Juan Carlos Arias

 

0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to Juan Carlos Arias Perez

‎02-26-2019 08:03 AM

Juan,

 

You are correct that they will remain In Progress until you mark them as Resolved.  As for the Malware Executed, there are a number of reasons you may see this, most common being that the policy was in Audit mode.  If you would like someone to take a closer look, I recommend opening a TAC case.

 

Thanks,

Matt

0 Helpful

Juan Carlos Arias Perez
Level 4
Level 4
In response to Matthew Franks

‎02-26-2019 02:06 PM

Matthew, I´m evaluating the solution so I can´t open a case on TAC yet and my policy is to Protect.  What I can see is that you need another software to complement the solution, like an AV or FW, is this correct??   I´m saying this based on the actions that can be made after detecting malware or virus or something else, just trying to understand, thanks.

0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to Juan Carlos Arias Perez

‎02-26-2019 02:09 PM

Juan,

 

If you are in a POV, you can ask your Account Manager to open a case on your behalf with the appropriate logs from the system.  With Malware Executed events, what typically takes place is a malicious process attempted to execute and AMP quarantined it.  Look for a Quarantine event at the same time for the same file.

 

Thanks,

Matt

0 Helpful

Juan Carlos Arias Perez
Level 4
Level 4
In response to Matthew Franks

‎02-26-2019 02:15 PM

You´re right Matthew, some files have been moved to Quarantine, I didn´t notice that before.
Regards,
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents