cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2142
Views
2
Helpful
6
Replies

Signature Set Update and Component Download

mandrews
Level 1
Level 1

Good day,

 

I'm still learning this product, but I was curious on the Signature Set Update and Component Download(Failure/Success) events. Can someone break down exactly what happens with these events?

 

Thank you,

Maurice

6 Replies 6

johnosn
Level 1
Level 1

Hello Maurice,

There were six event types that were added into Cisco Secure Endpoint with the Behavior Protection engine (see code block below). Since the Behavior Protection engine runs "on-box" to provide real-time protection (and not in the AMP cloud like the Cloud IOCs which are detect only) it needs to know what to alert on. The four events that you are referring to are the updating of the content used by the Behavior Protection engine. I think that the signatures can be found in "C:\Program Files\Cisco\AMP\apde\apde.sigs" and the components are in "C:\Program Files\Cisco\AMP\apde\amsi\apde.sigs", but I could be mistaken on that.

{
	"version": "v1.2.0",
	"metadata": {
		"links": {
			"self": "https://api.amp.cisco.com/v1/event_types"
		},
		"results": {
			"total": 6
		}
	},

	"data": [
        {
            "id": 553648222,
            "name": "Threat Detection",
            "description": "A Behavioral Protection signature has been triggered due to events on the endpoint meeting its criteria"
        },
        {
            "id": 2164260955,
            "name": "Component Download Failure",
            "description": "Component download failed"
        },
        {
            "id": 553648218,
            "name": "Component Download Success",
            "description": "Component downloaded"
        },
        {
            "id": 2164260957,
            "name": "Signature Set Update Failure",
            "description": "Signature set update failed"
        },
        {
            "id": 553648220,
            "name": "Signature Set Update Success",
            "description": "Signature set updated"
        },
        {
            "id": 553648225,
            "name": "Fileless Threat Blocked",
            "description": "A Script Protection signature has been triggered due to a script execution meeting its criteria"
        }
    ]
}

 

Thanks for the reply! I figured that it was probably AV signature updates, but I wasn't sure(still kind of not) on what the component download was for. 

Do you know what they mean by "component?"

Hey @mandrews,

In this post by @Troja007 the second image shows the functionality of the Behavior Protection engine. You will notice that there are two engines listed in the `BPE` section. There is Engine Instance [APDE-BP] and Engine Instance [APDE-AMSI]. The "signatures" are used by Engine Instance [APDE-BP] and the "components" are used by Engine Instance [APDE-AMSI].

They both are, for a lack of a better term, "behavioral patterns" to alert on for the two engines inside of Behavioral Protection.

That is just my understanding based on how I see it operating, I have not seen any official documentation released to customers that explicitly states that is the case.

You're the real MVP man! Cisco needs to put you on their payroll! Thanks for the information. I'm slowly tuning Secure Endpoint for the VDI environment, and it's still a heavy weight on it. My assumptions was that it was potentially whatever engine is calling for those signature and component updates almost every login in since they're non-persistent machines. I don't want to turn this engine off, but it appears to be a heavy burden on those machines.

For your non-persistent VDI environment have you looked at Cisco's "Secure Endpoint Best Practices Guide Appendix-B"?

For some of our lower performance VDI systems we have been testing with the removal of the network monitoring components in Cisco Secure Endpoint.

See the Secure Endpoint User Guide (May 6, 2022) pages 108-9 (for installing Secure Endpoint without the dfc driver)

VDI_1.png

and page 123 (for the impact of doing so on Behavior Protection).

VDI_2.pngYou will have to make sure that your policy has the network engine disabled.

VDI_3.png

And the last piece of turning down the network monitoring would be to disable the "Monitor network drive" option for Malicious Activity Protection.
VDI_4.png

 That is something that we are testing out to improve VDI performance, no guarantee that it will help in your situation.