Re: Scan multiple endpoints at once

larry.siegelman · ‎03-06-2022

Hello,

How may I initiate a scan on multiple endpoints at once?

They are are dispersed and not on one specific network.

David Janulik · ‎03-18-2022

Traditional scan is no longer needed. Each file's SHA is compared againt Threat Intelligence. If for some reason you still want scan, use Flash scan. Go to the Secure endpoint Console Outbreak control > Initiate Scan "Select a policy" and make sure you tick the Flash scan.

Cyber security escalation engineer

Troja007 · ‎03-24-2022

Hello @larry.siegelman ,
sorry to say, Secure Endpoint does not allow manually triggered Bulk actions for Computers. Doing OdScan on a regular base may makes sense, as there is no Cloud Lookup done for any available file type. I agree with @David Janulik statement, when talking about PE Files, as we are processing the endpoint telemetry actively 7days back in the backend. Non-PE files, if not touched by another process, can only be removed with OdScan. Finally this can now result into a longer discussion.

Today we are focusing on a lot of different other technologies to detect and block complex attack scenarios, some examples:

Behavioral Protection is able to detect and block such complex scenarios by analysing an event stream including file activity, network activity, user API calls, driver messages, registry activity and more. This approach also provides real time blocks for file less attacks.
Behavioral Protection Neutral Events: There are situations where BPW may detect some behaviour which may be interesting to expand the threat context during threat hunt. So we are generating information, which is generated by this engine and shown in the Device Trajectory.
Script Protection and BPE: Script Protection already scans files which have been executed by a Microsoft Script interpreter. With the new enhancements, Script Protection takes the buffer from AMSI, starts an own BPE engine instance to analyse the content. For this feature the BPE update includes new special signatures.
Exploit Prevention v5: The recent release includes several improvements.

There will be more security features in the future.... Finally, when taking a look at the relevance of File scanning engines available in Secure Endpoint relevant to different types of testing, the following values may be interesting (values are from 3rd Party testing with Secure Endpoint) why we focus on these advanced detection mechanism. All vales are approximately values and are changing a little bit at any testing.

EPP/Files: 35% AV, 33% Cloud Lookups, 32% other technologies
EPP/Dynamic Code: 30% AV, 34% Script Protection, 5%, Cloud Lookups, 7% BPE, 12% Retrospection, 12% other technologies
EDR/Fileless: 20% AV (Linux/Win), 38% BPE, 13% CloudIOC, 21% Orbital, 8% other technologies.

From my point of view, regular OdScan still makes sense, as you can scan areas of the endpoint which cannot be scanned OnAccess. I fully agree, this is a quick test, just to check if there is something malicious on the endpoint. Some checks can be simply done with Orbital, as Orbital queries Cisco Security APIs to enrich the query result.

If bulk actions are essential for you, please reach out to your Cisco representative to open a FR for you.

Greetings, Thorsten

larry.siegelman · ‎03-24-2022

Hi Thorsten,

Okay, thanks.
Then if multiple scans are not possible, what about multiple push-updates?
I set a new policy and want it out now.
Is this possible?

Troja007 · ‎03-28-2022

Hello @larry.siegelman ,
to do so we would need some kind of on-premise component OR a huge change in the architecture, where Secure Endpoint will hold a static connection to the cloud. Without such component/feature any of your endpoints would need to have a public IP and the firewall opened for all endpoints.

Just being curious, what is the use case where you need a policy immediately being enforced on the endpoint(s)?

Greetings, Thorsten