Cisco Endpoint - Policy Settings

jbailey2 · ‎08-17-2022

When setting the conviction modes in the policy settings of a computer. Is there a guide on how each one affects performance of a computer? That way we know when turn them from disabled -> audit -> protect that it will have an impact on performance?

Troja007 · ‎08-30-2022

Hello @jbailey2 ,
it is hard go give you here a clear statement, as it depends on the application activity on the endpoint and the endpoint configuration.
First any file written to the disk or being executed gets hashed (SHA-256). After Secure Endpoint hashed the file, a cache lookup is done. If there is a match, the whole detection/scanning sequence gets stopped. After this the File Scan engine scans the file. If there is no conviction, a cloud lookup is done. If there is still no result, all the other file scan related engines are scanning the file.

Therefore, even if you are in audit mode but a necessary exclusion is missing, the resource consumption is higher than having all engines active with the right exclusions.

Greetings, Thorsten

yumewang · ‎09-04-2022

Hello @jbailey2

It will depend on your environment. So the suggestion is to first change conviction modes from "disable" to "audit" and monitor. If there's no performance issue then you can change some conviction modes to "protect" and keep monitoring.

Here's a guide that contains best practices for workstations.

You can continuously adjust and test your environment until your configuration meets best practices.

-Secure Endpoint Best Practices Guide -> Policy settings: Workstation

You can also learn more about Endpoint Security through our live Ask the Experts (ATXs) session. Check out Cisco Endpoint Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs