Moving computer to new group automatically via a script - Cisco AMP for Endpoints

Rika P · ‎07-17-2018

Dear Community and Cisco Support,

As part of the uninstallation of an existing antivirus product on over 2000 workstations, I would like to run a PowerShell script that moves the computer from Audit mode into Protect mode.

Is there any way to move an endpoint (computer) into a new group with a new policy - by running a (PowerShell) script on the endpoint?

I have tested a script in which I do the following in order:

Stopping the service
Replacing the old policy.xml file (in the AMP folder) with the policy.xml file from the Protect policy (downloaded before-hand)
Overwriting the content of the local.xml file with "<config></config>" (Since we use identity persistence and I want to ensure a fresh start)
Starting the service again

However, the Connector always ends up with putting the computer in the default (fallback) group - which uses the Audit policy, even though the correct policy.xml file was copied into the AMP-folder.

How can I move the computer in a new group via a script?

(I am aware that I can use the API to move computers - but I want to make a script that can run as part of the uninstallation process and that does not require the API to be opened in allow-editing-mode.)

Thank you in advance for your help.

Best regards,

Rika

Jim2k · ‎09-18-2018

In the Amp console if you go to accounts business what is the default Product policy. i had a similar issue when testing a new group. it kept putting machines in the default Product policy defined under business. even though i was installing the endpoint with the executable created from the test group.

would the av product that is uninstalling AMP be Trend Micro? That is what i am dealing with now