on 05-27-2019 10:58 AM - edited on 02-24-2020 07:35 PM by Monica Lluis
Introduction
Some information to make your AMP for endpoints troubleshooting easier and faster. The guide should give you some hints how to troubleshoot. AMP for endpoints is a light weight connector which generates a very small footprint on your endpoint. There can be some situations, where a deeper investigation into the product could be necessary.
If you have any challenges with Troubleshooting the endpoint, please let us know. We will update the content as needed.
You can do some simple pre-work to optimize your AMP for endpoints installation and configuration.
If there are other security products installed on your endpoint, which are providing Memory Protection features, always activate just one product. Memory protection from different products/vendors most time results in serious technical problems.
Note: There are some well known products which are not compatible with AMP for endpoints. Take a look into the User Guide where these products are listed.
During Testing or Implementation figure out applications which are generating high disk activity. AMP hashes files on your disk. If there is a well known application, this can result into high CPU load with the sfc.exe process. Typical products are 3rd Party deployment tools, Database services or in rare cases software products which are doing file exchange using WMI.
Whitelist well known applications (use this method as less as possible and only if needed to prevent security issues).
Best practices for AMP for Endpoint Exclusions: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html
Configure and Manage Exclusions in AMP for Endpoints: https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html
There is a tool/script available on GitHub to analyse the Connector diagnostic file. The following steps are describing how to generate the Diagnostic file and how to analyse it.
Note: Take a look into the Release notes for needed Connector Version. Connector 5.x do not support this feature.
Cisco provides some more troubleshooting Guide on cisco.com. https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/products-tech-notes-list.html
AMP communication through a proxy must be excluded from SSL inspection. AMP communication uses TLS 1.2 with a binary protocol inside which is not HTTP. A RFC compliant proxy will drop this connections and AMP communication will fail.
Manual proxy connection test on Windows Command Line.
The AMP Connectivity Test Tool includes an option to test Proxy connectivity and availability.
The tool is located in the AMP for endpoints installation folder: %ProgramFiles%\Cisco\AMP\[Version]\ConnectivityTool.exe /T
Take a look into the AMP Help to see all options for the tool.
The AMP for Endpoints Deployment Strategy Guide shows useful help under the Troubleshooting section.
https://console.amp.cisco.com/docs
https://console.eu.amp.cisco.com/docs
In some cases Events are showing Error Codes where a file cannot be moved to the quarantine. This often happens, if the file is not available any more or if a process locks the file and AMP does not get a file handle to the file.
Example wit Error Code 3221225539
You can convert the Error code shown in DEC into HEX and afterwards taking a look into the following Microsoft Website: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/8f11e0f3-d545-46cc-97e6-f00569e3e1bc
If you see this event only a few times, anything should be fine. If you see the event multiple times over a longer time period, you need to take a deeper look. At this time it may also help to open a TAC case.
Get in contact with your Cisco representative. Your responsible Systems Engineer will open a Feature Request for you. Your Cisco representative can also check the status of your FR.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: