cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1586
Views
0
Helpful
0
Comments
Sohaib Ahmed
Cisco Employee
Cisco Employee

Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for various engines. This will enable protection engines (such as Offline engines, Malicious Activity Protection, etc.) to block or quarantine (not just alert) against malicious behaviors from offending files and processes. See the video below that walks you through the steps in doing so

 

Here's a brief summary of what each engine does.

 

Malicious Activity Protection (connector version 6.1.5 and later)
MAP engine defends your endpoints from ransomware attacks by identifying malicious actions of processes when they execute and stops them from encrypting your data. Audit logs the event but will not take action on the detected process. Quarantine mode quarantines the detected process and Block stops the process from executing. You can also set the engine to Monitor Network Drives
System Process Protection (connector version 6.0.5 and later)
SPP blocks attacks on critical Windows system processes compromised through memory injection attacks by other processes.
Script Protection (connector version 7.2.1 and later) This will block malicious script files from executing when in Quarantine mode. Audit mode will create an event when a malicious script is executed but will not prevent it from executing.
Exploit Prevention (connector version 6.0.5 and later) This engine defends your endpoints from memory injection attacks commonly used by malware and other zero-day attacks on unpatched software vulnerabilities. Audit mode is available in connector version 7.3.1 and later. Earlier versions of the connector will treat Audit mode the same as Block mode.
Script Control (Secure Endpoint Windows connector 7.3.1 and later)

This prevents certain DLLs from being loaded by some applications and their child processes. In Block mode, the engine will kill a process if it or one of its child processes attempts to load certain DLLs. Audit mode will create events when the activity is detected but won’t kill any processes.

Behavioral Protection (connector version 7.3.1 and later)  This helps prevent malicious activity that matches a set of behavioral signatures by alerting on activity, quarantining files, and ending processes in Protect mode. Audit mode will create events when matching activity is detected but will not take any actions.

 

You can change the settings for your Modes and Engines by selecting a policy to go to the Edit Policy screen (screenshot below). Here, you can select the appropriate setting for each engine. Note: The recommended settings on the right side of the page are recommended as the starting point only, as certain engines may require additional testing prior to enabling them in production.

SohaibAhmed_0-1656027824738.png

Be sure to review the Policy Design and Management section of the Secure Endpoint Best Practices Guide to determine which engines should be enabled in your environment. If you want to hear from Cisco Experts in a live session, feel free to register for the Installation and Implementation Best Practices: Secure Endpoint session from the schedule below.

Review Schedule and Register

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: