cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6857
Views
6
Helpful
4
Replies

Using exclusions in AMP For Endpoint.

f.villadsen
Level 1
Level 1

I’m preparing a number of PoV’s on AMP4E and wonder hos exclusions should be handled. According to the user guide (and the raining I have received) exclusions must be made on both AMP and the antivirus. It all make sense.

Never the less; I’m running AMP4E on my corporate laptop with Windows 7 and TrendMicro OfficeScan.  The AMP connector is version 4.4.0.10186  with exclusions for TrendMicro OfficeScan. No exclusions on the TrendMicro OfficeScan side made for AMP. I’ve installed AMP on similar conditions for testing.  Some of the AMP connectors are running in Audit mode, others in Protect mode, but they are all running with no problems at all.

What is the reason for this? Is exclusions on the antivirus only required when using specific Antivirus vendors (the user guide talks about McAfee, Symantec and Microsoft Security Essentials) or have I done something wrong?

4 Replies 4

keglass
Level 7
Level 7

Finn,

I recommend you check out this AMP forum in the Cisco Support Community for more information and feedback.

https://supportforums.cisco.com/community/12249516/advanced-malware-protection-amp

I hope this helps.

Kelli Glass

Moderator for Cisco Customer Communities

Thanks. I will look for an answer there.

schuang
Cisco Employee
Cisco Employee

Hi Finn,

One of the common things we see is anti-virus or other endpoint security software performing functions on a suspicious file.  E.g. quarantine.  Unless exclusions are defined on each software, you will potentially have a race condition and recursion; where Software A will quarantine a file into Directory A, Software B will pick this up and quarantine the file that was in Directory A into it's own quarantine Directory B and it goes into a bit of a loop chewing up resources.  I have heard that endpoint security signature definition files may sometimes trigger alerts on another tool depending on how they analyze the file.  It is recommended to always add exclusions for all potentially conflicting software applications.

best regards,

Shyue Hong

Troja007
Cisco Employee
Cisco Employee

Hello,

there have been many changes around the AMP connector, also the exclusion handling. Finally, if you have more than one security product installed on your endpoint, it is always a necessary to make the right exclusions. This means, Security Product A should include exclusions for Security Product B.
The problem is, when two products want to inspect something on the disk or in the memory. This often end in conflicts, which can be avoided with the right exclusions.

Cheers