Re: AMP4E Exclusions and Scheduled scans

Infrastructure9 · ‎07-08-2020

In traditional AV you would add an exclusion so that it would not be checked, however you would still have this exclusion scanned on a scheduled scan

Does this apply to AMP4E or will the exclusion be ignored during the full scan too

ppreenja · ‎07-09-2020

Hi,

In AMP4E full scans obey the exclusion lists. You should not exclude files or directories that are not trusted. If you are concerned about the scope of exclusions you should exclude by SHA256 of the specific trusted file instead of doing stuff like path exclusions.
There can be instances where you are still seeing scans for the .exe files even after excluding the path coz AMP still scans processes within those exclusions.
For the same, you would have to add process exclusions for these to stop being scanned.

Below article and video link will provide you more information on setting up exclusions in AMP4E:

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

https://video.cisco.com/video/6038252112001

I hope the above information helps.

Cheers,
Pratham

Troja007 · ‎07-13-2020

Hello @Infrastructure9,

agree, having an option to ignore exclusions during an OnDemand Scan would be a useful enhancement for the Connector.

Today, the OnDemand Scan honors the configured Exclusions.

So what you can do. We introduced Automated Actions, where you can move a Computer into another Group. This Group should have configured more strict policies, e.g. less Exclusion lists. Based on an IOC, which can also be triggered by malicious behaviour of trusted files, the computer gets moved.

I opened a Feature Request to ignore configured Exclusions during ODScan: https://ciscosecurity.ideas.aha.io/ideas/AMP4E-I-1480.

You can share this link with your Cisco Representative to update it, adding notes or opening your personal one for you.

Hope this helps,

Greetings,

Thorsten