Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1607
Views
0
Helpful
3
Replies

Does Cisco Amp scan for rootkits?

kristina.robinson
Level 1
Level 1

‎12-14-2021 09:25 AM

My organization has Cisco Amp for endpoint protection. The question we have is whether Amp scans for rootkits? We are also seeing a very high number of executable files show up as potential threats. Does Amp flag all ".exe" files as threats? Excel spreadsheets and system files are also showing up as potential threats. Does Amp flag all .xlsx files and system files as potential threats as well?

Labels:
0 Helpful
3 Replies 3

Troja007
Cisco Employee
Cisco Employee

‎12-14-2021 10:15 AM

Hello @kristina.robinson ,
so let me try to answer your questions step-by-step

  • Rootkit Scan: Yes we do. There is an own OnDemand Scan available on the endpoint. Thought this has been already fixed in the console.
  • Potential Threats: What type of Events are shown exactly? And no, Secure Endpoint does not flag all .exe files as threats.
    All Engines also include "guardrails" to prevent False/Positves. 
  • File Scanning: The graphics below shows how Secure Endpoint protects against threats. For File Scanning the endpoint does several steps to detect malicious files. The Device Trajectory shows more information which engines processed a file and which engine triggered a detection. There are some aspects which have an impact on the detection. This can be the cache or configured exclusions.
    TME-SecureEndpoint-Engines Behavioral v2.png

So finally, Secure Endpoint does not mark executable code or office documents as threats. Especially system files, as we use the guardrails to prevent the system from false/positives. I would suggest to open a TAC case so someone takes a deeper look into your environment. Based on your description I cannot provide any reliable statement what is going on on your endpoint.

Greetings,
Thorsten 

0 Helpful

kristina.robinson
Level 1
Level 1
In response to Troja007

‎12-14-2021 11:18 AM

Hi!

So are you saying that when I run full scans in Amp, it is automatically checking for rootkits as well or is there a separate scan to run for rootkits?

0 Helpful

Troja007
Cisco Employee
Cisco Employee
In response to kristina.robinson

‎12-15-2021 12:18 AM

Hello @kristina.robinson ,
looks like there is an issue in the Console UI. So you can start a Rootkit scan on the endpoint, but not remotely from the console. You may check with TAC to get this solved.
Greetings,
Thorsten

0 Helpful
Customers Also Viewed These Support Documents