Solved: How Cisco AMP Endpoint take action?

RoberSamir00332 · ‎07-21-2021

Hi All;

i want to know how Cisco AMP Endpoint take action when it detect a Malware on the PC

Regards;

Rober

Troja007 · ‎07-22-2021

Hello @RoberSamir00332,
there many different ways Cisco Secure Endpoint takes action on Malware.

Starting with traditional File scanning, File scanning for Scripts (AMSI integration), Malware Grouping, Machine Learning, where the Endpoint quarantines a file and also stops a running process.
There are other engines, which are protecting the memory like ExPloit Prevention and System Process Protection. These engines protect against memory based attacks.
Behavioral Protection Engine is the newes enhancement on the endpoint. It detects and blocks complex malicious behavior on the endpoint. The engines uses am expressive event pattern matching language designedby Cisco.
Cloud IOCs: The endpoint sends file, network, process and command line activity to the backend. This data is processed back for 7 days. The result is a Cloud IOC or a retrospective detection.
Based on Cloud IOCs, there are automated Post Infection Tasks available, like isolating the endpoint from the network.

Maybe useful, the screenshot compares the difference between a Cloud IOC from the Backend and a Behavioral Protecton Event.

Greetings,
Thorsten

View solution in original post

Troja007 · ‎03-05-2025

Hello Ken,
TDM = Technical Decision Maker Presentation.
Cheers,
Thorsten

View solution in original post

Troja007 · ‎07-22-2021

Hello @RoberSamir00332,
there many different ways Cisco Secure Endpoint takes action on Malware.

Starting with traditional File scanning, File scanning for Scripts (AMSI integration), Malware Grouping, Machine Learning, where the Endpoint quarantines a file and also stops a running process.
There are other engines, which are protecting the memory like ExPloit Prevention and System Process Protection. These engines protect against memory based attacks.
Behavioral Protection Engine is the newes enhancement on the endpoint. It detects and blocks complex malicious behavior on the endpoint. The engines uses am expressive event pattern matching language designedby Cisco.
Cloud IOCs: The endpoint sends file, network, process and command line activity to the backend. This data is processed back for 7 days. The result is a Cloud IOC or a retrospective detection.
Based on Cloud IOCs, there are automated Post Infection Tasks available, like isolating the endpoint from the network.

Maybe useful, the screenshot compares the difference between a Cloud IOC from the Backend and a Behavioral Protecton Event.

Greetings,
Thorsten

bezik · ‎07-22-2021

A very interesting answer. thanks

maciek_smolak · ‎07-25-2021

Troja007 · ‎02-24-2025

Hello all, the new TDM includes the drawing above and much more...

Ken Stieers · ‎02-24-2025

TDM ???

Roman Valenta · ‎02-24-2025

Hi Ken, I think Cisco Secure Endpoint "TDM" refers to the threat detection and management capabilities within the Cisco Secure Endpoint platform. Don't like acronyms either they change all the time

Troja007 · ‎03-05-2025

Hello Ken,
TDM = Technical Decision Maker Presentation.
Cheers,
Thorsten