FireAMP for servers?

mtomandl1 · ‎05-14-2015

We are thinking of updating to the newest release of FireAMP (or Cisco Advanced Malware Protection for Endpoints as it's called now) and deploying across more systems than we currently have it on. The team who ran the PoC on this last year isn't around anymore so I thought I'd ask the source.

FireAMP has on-access file scanning turned on right now, and that's appropriate for desktop systems, but my management is wondering about deploying this across thousands of Windows servers too. Does Cisco recommend enabling this feature in a production datacenter? If so, how can we mitigate its enormous CPU impact when there are lots of filesystem changes happening?

adhogan · ‎05-14-2015

There's a pretty minimal CPU hit to running AMP. Especially given the local cache. The only difference for installing on servers is that we typically recommend turning off network monitoring.

mtomandl1 · ‎05-15-2015

Thanks for the reply!

I just learned what the purpose of our installation in the datacenter is going to be: We are using this for file-level change monitoring, similar to tripwire. The thought being that with this software, we don't need to maintain a team just to follow up on alerts to filesystem changes like tripwire requires... Because the cloud solves everything! Is this the software that you'd recommend installing across 150,000+ servers in our enterprise for this? Or is there another software or service that would be more appropriate?

I'm worried about this affecting the SLA of our software installed on the servers, plus the fact that this doesn't have any performance monitoring and automatic remediation built in for if it does cause an incident. And it requires a reboot to update. And we're going to need to maintain thousands of different blacklists for which directories need to be ignored from the monitoring.

...Or am I worrying over nothing? I've been bitten by anti-virus on-access scanning in the past, but that was years ago.

adhogan · ‎05-15-2015

To be clear, AMP does not report on file changes. Each time a file changes, AMP will check to see if it's malware. If it's malware it will block it. It will tell you how that malware runs, give you all the data you need to do breach hunting and control an outbreak. But it's not going to alert for a generic change of a file.

Yes, the endpoint needs to reboot to update. On Windows, not Mac. It's an OS thing. But you don't need to update that often. Because it's cloud based it's not like there's a virus definition database or anything. You update the endpoint really just when there are new features, maybe the occasional bug fix. Most people update every 6-12 months.

I don't think you'll need a thousand different exception lists. Most deployments I see have a list for servers, a list for Windows desktop, and a list for Mac desktops. Maybe another for their development or engineering team.

Farhan Mohamed · ‎01-31-2017

There's a pretty minimal CPU hit to running AMP. Especially given the local cache. The only difference for installing on servers is that we typically recommend turning off network monitoring.

AMP does not report on file changes. Each time a file changes, AMP will check to see if it's malware. If it's malware it will block it. It will tell you how that malware runs, give you all the data you need to do breach hunting and control an outbreak. But it's not going to alert for a generic change of a file.

Yes, the endpoint needs to reboot to update. On Windows, not Mac. It's an OS thing. But you don't need to update that often. Because it's cloud based it's not like there's a virus definition database or anything. You update the endpoint really just when there are new features, maybe the occasional bug fix. Most people update every 6-12 months.