01-25-2023 08:00 AM
Does anyone run scheduled full scans on their endpoints at night? Are full scans tied to retrospective detections?
Solved! Go to Solution.
01-27-2023 05:51 AM
Hello @DMontalbano ,
full scans on the endpoint and retrospective detections are completely different features.
Greetings, Thorsten
01-26-2023 07:47 AM - edited 01-26-2023 07:49 AM
Well not necessarily if the file was previously seen on the endpoint and there is retrospective detection, in another words if previously clean file is now condemned to be malicious retrospective quarantine will happened at the next heart beat.
Further more on Full Scans here is something you might want to consider...
As per the AMP for Endpoints user guide as seen below here are couple highlight that you might want to consider.
- https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf
"A full scan will scan the processes running, the registry entries, and all the files on disk. This scan is very resource-intensive and should not be performed on a regular basis."
"WARNING! Running a full Endpoint IOC scan is time consuming and resource intensive. On endpoints with a large number of files, a full scan can take multiple days to run. You should only schedule full scans during periods of inactivity, such as at night or on weekends. The first time you run a full scan on a Connector, the system will be catalogued, which will take longer than a regular full scan"
Full Scan: Scans the entire computer including all attached storage devices (such as USB drives). This scan can be time-consuming and resource-intensive, so should only be performed once when the connector is first installed
Both Flash Scan and Full Scan check the following information:
Full Scan adds the following:
The Endpoint IOC (indication of compromise) feature is a powerful incident response tool for scanning of post-compromise indicators across multiple computers. Endpoint IOCs are imported through the console from open IOC-based files that are written to trigger on file properties, such as name, size, hash, and other attributes, and system properties, such as process information, running services, and Windows Registry entries.
The Endpoint IOC scanner is available in Secure Endpoint Windows connector versions 4 and higher. Running Endpoint IOC scans may require up to 1 GB of free drive space.
WARNING! Running a full Endpoint IOC scan is time consuming and resource intensive. On endpoints with a large number of files, a full scan can take multiple days to run. You should only schedule full scans during periods of inactivity, such as at night or on weekends. The first time you run a full scan on a connector, the system will be cataloged, which will take longer than a regular full scan.
If you select a full scan, you can also choose whether to do a full catalog before the scan, catalog only the changes since the last scan (only available on Secure Endpoint Windows connector 4.4 and higher), or run the scan without cataloging. A full catalog will take the most time to complete, and running the scan without a catalog will take the least amount of time. If you choose to only catalog changes, then only changes to the filesystem since the last full catalog will be cataloged. The amount of time this scan takes will vary based on the number of changes to catalog.
IMPORTANT! If you have not performed a full catalog on a computer yet and choose not to catalog before the scan then nothing will be scanned.
Scheduled Scans
When a schedule scan runs the AMP console sends a query to the connector, when the connector receives the query, it performs the scan. However, if the connector doesn't receive the query the scan doesn't run, and will re-try at the next scheduled event.
This is the reason of why we suggest to customer performed the schedule scans when the users are working but, when the device doesn't have a lot of payload, for example Friday at the end of the day
Now, It is completely your choice if you want to schedule the scans on the policies but scheduled scans are not necessary for the operation of the AMP for Endpoints Connector because files are being reviewed as they are copied, moved, and executed. Files are also reviewed again for 7 days using Retrospective. This allows companies to reduce their energy footprint by eliminating the need for scheduled scans.
Hope this help...
01-26-2023 08:59 AM
Thank you for that information.
01-26-2023 08:44 AM
We don't run full scans nightly, we do run them on workstations where something pops up, whether its from a Cognitive detection, or retro from AMP or Email, sort of as a "just in case" sweep.
01-26-2023 09:00 AM
Thanks. We may switch to full scans on a weekly basis or possibly eliminate them all together.
01-27-2023 05:51 AM
Hello @DMontalbano ,
full scans on the endpoint and retrospective detections are completely different features.
Greetings, Thorsten
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: