Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
188
Views
1
Helpful
2
Replies

What is the purpose of ClamAV integration in Cisco Secure Endpoint?

chickenriceandbeans
Level 1
Level 1

‎07-15-2025 12:04 AM

Hi,

While exploring the Cisco Secure Endpoint (AMP) interface, I noticed there's a section related to ClamAV signatures.
I wanted to understand:

chickenriceandbeans_0-1752563011589.png

 

  1. What is the ClamAV functionality used for in this context?

    • Does it enhance malware detection on Linux systems only, or does it also apply to Windows/macOS clients?

    • Is it used for custom detections, such as signature-based rules for internal threat hunting?

  2. I found this document:
    https://docs.amp.cisco.com/clamav_signatures.pdf

    It describes how to create ClamAV custom signatures and use various command-line tools like sigtool, clamscan, etc.

    My question is:
    Where exactly should these commands be used in the context of Cisco Secure Endpoint?

    • Should I run these on a Linux endpoint, or is there a backend system where ClamAV operates within AMP?

    • Can these custom .ndb or .ldb signature files be uploaded or integrated into Cisco Secure Endpoint for real-time scanning?

Any clarification or guidance on how ClamAV is used within Cisco AMP would be greatly appreciated.
Thanks in advance!

2 Replies 2

Ken Stieers
VIP
VIP

‎07-15-2025 07:15 AM

1. On *nix, ClamAV is used for the standard pattern based AV detections. On Windows its used for file type detections as well as custom patters that you may have/find/develop.
2. You could use them on Linux... but that document is a reference to the kinds of things you'd need when you write custom detections under Outbreak Control/Custom Detections - Advanced. You add the signatures you need, and then click Build a Database. That database gets deployed to the client . That is all covered in the Secure Endpoint help here: https://console.amp.cisco.com/help/en/Content/Secure_Endpoint_User_Guide/Custom_Detections_Advanced.html#outbreak_control_1217320745_1621087



0 Helpful

chickenriceandbeans
Level 1
Level 1
In response to Ken Stieers

‎07-16-2025 12:35 AM

 

 

Thanks a lot for the great additional information!
However, I have a question — let’s say I want to find files that contain specific content, for example:

  • files that include the word "password"

  • files that contain a specific text string

  • or Excel files with macros

My goal is just to detect these files, not to block or quarantine them.
Is there a way to achieve this using custom detections? How would that be possible?

0 Helpful
Customers Also Viewed These Support Documents