Hello @RoberSamir00332,
there many different ways Cisco Secure Endpoint takes action on Malware.
- Starting with traditional File scanning, File scanning for Scripts (AMSI integration), Malware Grouping, Machine Learning, where the Endpoint quarantines a file and also stops a running process.
- There are other engines, which are protecting the memory like ExPloit Prevention and System Process Protection. These engines protect against memory based attacks.
- Behavioral Protection Engine is the newes enhancement on the endpoint. It detects and blocks complex malicious behavior on the endpoint. The engines uses am expressive event pattern matching language designed by Cisco.
- Cloud IOCs: The endpoint sends file, network, process and command line activity to the backend. This data is processed back for 7 days. The result is a Cloud IOC or a retrospective detection.
- Based on Cloud IOCs, there are automated Post Infection Tasks available, like isolating the endpoint from the network.
Maybe useful, the screenshot compares the difference between a Cloud IOC from the Backend and a Behavioral Protecton Event.
Greetings,
Thorsten
