06-16-2016 07:52 AM - edited 02-20-2020 09:01 PM
I’m preparing a number of PoV’s on AMP4E and wonder hos exclusions should be handled. According to the user guide (and the raining I have received) exclusions must be made on both AMP and the antivirus. It all make sense.
Never the less; I’m running AMP4E on my corporate laptop with Windows 7 and TrendMicro OfficeScan. The AMP connector is version 4.4.0.10186 with exclusions for TrendMicro OfficeScan. No exclusions on the TrendMicro OfficeScan side made for AMP. I’ve installed AMP on similar conditions for testing. Some of the AMP connectors are running in Audit mode, others in Protect mode, but they are all running with no problems at all.
What is the reason for this? Is exclusions on the antivirus only required when using specific Antivirus vendors (the user guide talks about McAfee, Symantec and Microsoft Security Essentials) or have I done something wrong?
07-06-2016 12:07 PM
Finn,
I recommend you check out this AMP forum in the Cisco Support Community for more information and feedback.
https://supportforums.cisco.com/community/12249516/advanced-malware-protection-amp
I hope this helps.
Kelli Glass
Moderator for Cisco Customer Communities
07-27-2016 12:51 AM
Thanks. I will look for an answer there.
08-03-2016 08:11 PM
Hi Finn,
One of the common things we see is anti-virus or other endpoint security software performing functions on a suspicious file. E.g. quarantine. Unless exclusions are defined on each software, you will potentially have a race condition and recursion; where Software A will quarantine a file into Directory A, Software B will pick this up and quarantine the file that was in Directory A into it's own quarantine Directory B and it goes into a bit of a loop chewing up resources. I have heard that endpoint security signature definition files may sometimes trigger alerts on another tool depending on how they analyze the file. It is recommended to always add exclusions for all potentially conflicting software applications.
best regards,
Shyue Hong
10-16-2018 12:55 AM
Hello,
there have been many changes around the AMP connector, also the exclusion handling. Finally, if you have more than one security product installed on your endpoint, it is always a necessary to make the right exclusions. This means, Security Product A should include exclusions for Security Product B.
The problem is, when two products want to inspect something on the disk or in the memory. This often end in conflicts, which can be avoided with the right exclusions.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide