Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8247
Views
0
Helpful
7
Replies

Remove detected items in AMP

Go to solution
anousakisioannis
Level 1
Level 1

‎04-24-2019 02:26 AM - edited ‎02-20-2020 09:08 PM

Hello all,

 

I ran a full scan in AMP for a client and it returned the below message:

 

Scanned 244494 files, 109 processes, 37615 paths. Found 2 malicious items.

When i expand the event, i cannot see these malicious items.

 

After the "Scan Started" event it has quarantined 2 malwares. Are, these 2 events, the malicious items that mention in the summary?

 

Thank you

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee

‎04-24-2019 04:37 AM

Hello Sir,

Yes, most probably those will be the files from the full scan. Let me share example from the lab:

Screenshot 2019-04-24 at 13.28.52.png

There is also another way, you can look for specific file in Device Trajectory (from the Events section), for example:

Screenshot 2019-04-24 at 13.32.47.png

It will show up details with information: "Detected (...) during a full scan.":

Screenshot 2019-04-24 at 13.34.13.png

Hope that helps,

Wojciech

View solution in original post

0 Helpful

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee
In response to anousakisioannis

‎04-24-2019 05:23 AM

Hello Giannis,

You are welcome. Regarding your another query, that is quite common. The reason AMP could not quarantine may be:
- it could be that another process (may be another AV) had already moved the file from that location,
- it could be permission issue that another process or AV had stopped AMP from getting handle on that file,
- sometimes there is follow up quarantine successful event (your case) after quarantine failed, that means that some other process had handle on that file before.

The quarantine fail event just happened to come above the successful (most probably because of sorting while that is the same timestamp). However, the successful quarantine would indicate that the file was quarantined properly.

--Wojciech

View solution in original post

0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee
In response to anousakisioannis

‎05-17-2019 04:40 AM

Giannis,

 

You'll need to stop the service before you can delete the files.

 

Thanks,

Matt

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee

‎04-24-2019 04:37 AM

Hello Sir,

Yes, most probably those will be the files from the full scan. Let me share example from the lab:

Screenshot 2019-04-24 at 13.28.52.png

There is also another way, you can look for specific file in Device Trajectory (from the Events section), for example:

Screenshot 2019-04-24 at 13.32.47.png

It will show up details with information: "Detected (...) during a full scan.":

Screenshot 2019-04-24 at 13.34.13.png

Hope that helps,

Wojciech

0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Wojciech Cecot

‎04-24-2019 05:03 AM

Hello Wojciech,

 

I have the exact same output. Thank you for your response!

 

I would like to ask you something more.

I have noticed that AMP raises events the exact same time, for the same file(malware,trojan,etc...) with 2 different statuses (Quarantine:Failed , Quarantine:Successful) for the same user.

Below an example

 

Capture.PNG

 

How should i treat such events? Have it quarantined it or not ?

 

NOTE: I have also noticed that AMP may raise many Quarantine:Failed events for a file and one(or none) Quarantine:Successful

 

Thank you,

Giannis

0 Helpful

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee
In response to anousakisioannis

‎04-24-2019 05:23 AM

Hello Giannis,

You are welcome. Regarding your another query, that is quite common. The reason AMP could not quarantine may be:
- it could be that another process (may be another AV) had already moved the file from that location,
- it could be permission issue that another process or AV had stopped AMP from getting handle on that file,
- sometimes there is follow up quarantine successful event (your case) after quarantine failed, that means that some other process had handle on that file before.

The quarantine fail event just happened to come above the successful (most probably because of sorting while that is the same timestamp). However, the successful quarantine would indicate that the file was quarantined properly.

--Wojciech

0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Wojciech Cecot

‎05-17-2019 02:59 AM

Hello Wojciech,

 

Sorry for reopening this case but i have a question that matches in this conversation.

 

I tried to manually delete the quarantines files from C:\Program Files\Cisco\AMP\Quarantine but i couldn't due to permissions access and i was logged in as admin.

Do you know why is this happening?

Is there any way to manually delete the quarantined files or from the management console?

 

Regards,

Giannis

0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee
In response to anousakisioannis

‎05-17-2019 04:40 AM

Giannis,

 

You'll need to stop the service before you can delete the files.

 

Thanks,

Matt

0 Helpful

Go to solution
VineeshKV89423
Level 1
Level 1
In response to Wojciech Cecot

‎06-22-2020 11:47 PM

@Wojcieh Cecot : So how can we find out which quarantine failed is really failed??? Since it may include the entries which are already quarantined.
0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Wojciech Cecot

‎04-24-2019 05:04 AM

Hello Wojciech,

 

I have the exact same output. Thank you for your response!

 

I would like to ask you something more.

I have noticed that AMP raises events the exact same time, for the same file(malware,trojan,etc...) with 2 different statuses (Quarantine:Failed , Quarantine:Successful) for the same user.

Below an example

 

Capture.PNG

 

How should i treat such events? Have it quarantined it or not ?

 

NOTE: I have also noticed that AMP may raise many Quarantine:Failed events for a file and one(or none) Quarantine:Successful

 

Thank you,

Giannis

0 Helpful
Customers Also Viewed These Support Documents