cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
0
Helpful
6
Replies

Cisco AMP making reports for itens already in quarantine.

Mateus Biscardi
Level 1
Level 1

Hello everybody, everyday when I access my Cisco AMP tool I find some case where the file that is alerting has been already been put in quarantine before.

I imagine that I must been doing something wrong in my exclusion list or some similar mistake.

Can someone help me with this problem?

1 Accepted Solution

Accepted Solutions

Matthew Franks
Cisco Employee
Cisco Employee

Considering it is a legitimate alert at the time it occurs, not really.  One potential I see is if you set up a script to use an event stream, look for events on the same hash and mark them as quarantined in your output.  You can find a starter script for event streams here.

View solution in original post

6 Replies 6

Matthew Franks
Cisco Employee
Cisco Employee

Could you provide more information on what you mean with a screenshot?

Hi Matthew, basically what is happening is that I receive some alerts in the endpoint but when I see the path the file is already in the quarantine.

I'll try to send here some screenshots

Matthew Franks
Cisco Employee
Cisco Employee

Most likely what is happening is that Secure Endpoint attempts to quarantine a file but the parent process (Chrome for example if it is being downloaded from a browser) still has a handle on it.  This would trigger a Quarantine Failure event since we are not able to quarantine the file at that time.  Then, as soon as the handle is available, we are able to quarantine the file successfully so you will also have a corresponding Quarantine Success event.

Thank you for your explanation Matthew, that is any secure way that I can prevent my AMP for reporting this type of notification ?

Matthew Franks
Cisco Employee
Cisco Employee

Considering it is a legitimate alert at the time it occurs, not really.  One potential I see is if you set up a script to use an event stream, look for events on the same hash and mark them as quarantined in your output.  You can find a starter script for event streams here.

OK, thank you very much