cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5662
Views
25
Helpful
13
Replies

Can we install AMP side by side with other AV product ?

bezeddin
Level 1
Level 1

Hi, 

 

Can we install AMP side by side with other AV product ? some users may still use their existing AV license while testing AMP

Regards

Budi

13 Replies 13

Troja007
Cisco Employee
Cisco Employee

Hello @bezeddin,

sure, this is possible, but not necessary as Secure Endpoint is much more then just AV. I would recommend to test with Secure Endpoint only, just to avoid technical issues or bad performance results. 

If installed beside other Security (AV) Products, you may do the following

  • Add exclusions for both security products.
  • Add File and Process exclusions
  • Keep care if there are memory protection features in both products. This can cause crashes. If yes, just one should be activated.

Keep in mind, if Secure Endpoint is not fully enabled, this may has an impact on Cloud IOCs, as the backend intelligence also process, e.g., if a file has been quarantined or not.

 

Finally, once again, i would recommend to install Secure Endpoint as the only Security Tool.

Greetings,
Thorsten

That's good to know. We are looking at other AV solutions and it is good to know that we can evaluate without removing our existing AV. 

Yes you can deploy it next to other AV solutions. It is covered in the deployment docs. We currently deploy alongside Symantec for a couple of specific features that AMP doesn't have. (USB control and a centrally reporting firewall)

Hello @Ken Stieers,
agree, just being curious. From your point of experience, in the cases you know, is USB control included in the AV product or a separated software component on the endpoint?
Greetings,
Thorsten

Hey Thorsten
What I'm seeing (because we went looking to replace Symantec) is that it's a mixed bag.
IIRC Sophos, ESET had it in the product, McAfee it's in the DLP product.
In our case, the 2 features we're using in Symantec that AMP doesn't have are USB control and centrally reporting firewall. Our firewall requirement is soon to go away... so we're waiting for USB control to come out to flip on Tetra and remove Symantec. I spent an hour on the phone with the product management team telling them what we needed from USB control, features that are part of Symantec's product today, so I'm hopeful...
Ken

s4mur41
Level 1
Level 1

super helpful information, appreciate the explanation 

Pierce Vasale
Level 1
Level 1

Well you can. Most likely issues would be increased overhead on the endpoints - so I'd test it a bit first to make sure you aren't overtaxing the poor thing.

Noviyanto
Level 1
Level 1

Won't it reduce our PC performance if AMP runs parallel to the existing AV? 

Hello @Noviyanto,
yes, duplicate scanning of file can be a performance issue. Especially if different security products want to scan a file at the same time. This also may generate unexpected behavior from a security product.

Example: Secure Endpoint wants to quarantine a file, but the file has been already removed by another AV scanner. It depends which filter driver first sees the file and does a file action.

Greetings,
Thorsten

 

A95946
Level 1
Level 1

I appreciate seeing the feedback about running in place with existing AV.  We are having this exact discussion as we evaluate a replacement for our existing AV, so seeing what others have done keeps us informed as we look for our next steps.  Thanks!

:woman_dancing:

woman-dancing

(Apologies, I can't get the emoji to work properly)

b.verbaandert
Level 1
Level 1

we have AMP for endpoints running on over 100.000 machines together with one of the popular AV packages for several years now ... no major problems so far 

 

Jim2k
Level 1
Level 1

We also have amp running on about 180k workstations while also running Trend Micro. things we did to get them to play nice. Exclusions are key. in both products. another is to to turn off a feature in one if the other product is better at it. as an example. when we roll out amp we use the /skiptetra 1. this does not install the clamAV part. but the main engine is still intact reason for this is that we were already using TM for file scanning for years prior to installing AMP. we mainly use AMP in audit mode for file trajectory and investigations. but we also create Tickets when a certain event types happen. i.e. "Malware Executed" or when certain Cloud IOC's trigger. we do have process protection turned on. Since TM does not have that feature. So far this overlapping protection has been working out. there are things seen by AMP that TM does not and Visa Versa

That's excellent advice from Jim2k.  The only thing I'd add is that, if you ever think you might enable the classic AV scanning on our side, use policy to disable the Offline Engine (referred to as Tetra for Windows connectors), instead of using the /skiptetra option at install time.  Having the offline engine present as part of the install, but disabled, doesn't really cost you all that much, and it gives you the ability to enable/disable it without having to reinstall the connector.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: