Removing Malware from endpoints

Davion Stewart · ‎05-14-2016

Good day,

My question about cisco AMP is about its ability to remove malware from endpoints, whether it be servers, PCs or mobile devices. AMP is able to detect, analyze and block malware but if it is that an endpoint is infected with malware, can it be removed from the client.

Also if this is possible, can be done with either AMP for endpoints or AMP for the network or only one of them?

Thanks

yogdhanu · ‎05-14-2016

Hi

Yes the network AMP detects/prevents malware on network level. So if an endpoint is infected by malware , it needs an endpoint solution that can reside on it and can detect/prevent the malware.

FireAMP endpoint client can do it and protect your endpoint client as well while they are on move or infected by malware.

You can get more information here.

http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-cloud/FireAMPUserGuide.pdf

Rate if helps.

Yogesh

Davion Stewart · ‎05-14-2016

Hmm well yes i know that it detects and prevents but does it remove?

So for instance if a client PC is infected with malware, can AMP remove it.If it can remove malware from client devices then which AMP solution can do it. If not, then what Cisco solutions do provide that ability

I browsed through the pdf document and saw that the fire amp mobile connector is able to remove infected files after scanning the device.

Is Fire AMP the same as AMP for endpoints?

yogdhanu · ‎05-14-2016

HI Davion,

Yes FireAMP is same as AMP for endpoint. There is no option to remove the file, it can quarantine the file so malware can't do anything. Quarantined files are stored in local folder and by deletes the files when its 30 days old.

Davion Stewart · ‎05-16-2016

Cool understand, thanks for your help. I was doing some reading about the Fire AMP, i saw that it can auto remove malware. Will see if i can find the document where i saw that.

hutay · ‎10-30-2017

Looking for documentation that states that amp will delete quarantined file after 30 days (for customer). Appreciate your kind advice.

Cheers,

Hui Ping

CHCS · ‎11-20-2017

I have an issue where CIsco AMP for Endpoint shows Threat quarantine Successful however, when i browse to the location of the threat, i can still see the malware file existing and not deleted or moved by the quarantine process. Is this normal? I'm reluctant to execute the file to see if it works since it was flagged as malware.

CHCS · ‎11-20-2017

Oops that was supposed to be for Cisco Support not Davion

Qamar Islam · ‎04-02-2018

Hi Team,

I have on-premises Cisco Private Cloud to manage the AMP Points Connectors, I am facing an issue about malicious file detection, Some malicious files detected by virus total but Cisco Endpoint connector is not detecting it.

Need your suggestions please

Jetsy Mathew · ‎04-03-2018

Hello Qamar

If the disposition of the file has been marked as Malicious by AMP engine then it should be quarantined accordingly . Could you please try running a scan or submit the file to TG. If you find any difficulty with the same please open a service request with TAC. In AMP , the detection will work based on the file dispositions marked by the AMP engine.

Regards

Jetsy