cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Troubleshooting AMP for Endpoints [Summary]

785
Views
0
Helpful
0
Comments

Introduction

Some information to make your AMP for endpoints troubleshooting easier and faster. The guide should give you some hints how to troubleshoot. AMP for endpoints is a light weight connector which generates a very small footprint on your endpoint. There can be some situations, where a deeper investigation into the product could be necessary.

If you have any challenges with Troubleshooting the endpoint, please let us know. We will update the content as needed.

 

 

Troubleshooting Prework

You can do some simple pre-work to optimize your AMP for endpoints installation and configuration.

Prework 1: Other Security Products [Stability]

If there are other security products installed on your endpoint, which are providing Memory Protection features, always activate just one product. Memory protection from different products/vendors most time results in serious technical problems.

Note: There are some well known products which are not compatible with AMP for endpoints. Take a look into the User Guide where these products are listed.

Prework 2: Applications with high disk activity [Performance]

During Testing or Implementation figure out applications which are generating high disk activity. AMP hashes files on your disk. If there is a well known application, this can result into high CPU load with the sfc.exe process. Typical products are 3rd Party deployment tools, Database services or in rare cases software products which are doing file exchange using WMI.

Prework 3: Know your internal critical applications [Functionality]

Whitelist well known applications (use this method as less as possible and only if needed to prevent security issues). 
Best practices for AMP for Endpoint Exclusions: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html
Configure and Manage Exclusions in AMP for Endpoints: https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html

 

Check 1: Analyse a Connector Diagnostic file with Diagnostic tool

There is a tool/script available on GitHub to analyse the Connector diagnostic file. The following steps are describing how to generate the Diagnostic file and how to analyse it.

Note: Take a look into the Release notes for needed Connector Version. Connector 5.x do not support this feature.

  1. Generate the Diagnostic file from your AMP for endpoints console. Select the computer and click the diagnostic button.
    Bildschirmfoto 2019-05-27 um 19.43.14.pngDiagnostic File Generation
  2. You can find the Diagnostic File in the AMP console under the File Repository. Apply the Connector Diagnostic Filter if there are many other files listed. Bildschirmfoto 2019-05-27 um 19.45.46.pngDiagnostic File Filter in AMP Console


  3. Navigate to https://github.com/CiscoSecurity/amp-05-windows-tune
    Download the tool and investigate the output.
  4. Add the appropriate exclusions to your AMP for endpoints policy.

 

Check 2: Troubleshooting Technotes on Cisco.com

Cisco provides some more troubleshooting Guide on cisco.com. https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/products-tech-notes-list.html

 

Check 3: Troubleshooting Proxy Connection issues

AMP communication through a proxy must be excluded from SSL inspection. AMP communication uses TLS 1.2 with a binary protocol inside which is not HTTP. A RFC compliant proxy will drop this connections and AMP communication will fail.
Manual proxy connection test on Windows Command Line.

  • The AMP Connectivity Test Tool includes an option to test Proxy connectivity and availability.

  • The tool is located in the AMP for endpoints installation folder: %ProgramFiles%\Cisco\AMP\[Version]\ConnectivityTool.exe /T

  • Take a look into the AMP Help to see all options for the tool.

Check 4: AMP for Endpoints Deployment Strategy Guide

The AMP for Endpoints Deployment Strategy Guide shows useful help under the Troubleshooting section. 
https://console.amp.cisco.com/docs
https://console.eu.amp.cisco.com/docs

 

Check 5: Troubleshooting Event Error Codes

In some cases Events are showing Error Codes where a file cannot be moved to the quarantine. This often happens, if the file is not available any more or if a process locks the file and AMP does not get a file handle to the file.

Example wit Error Code 3221225539

  • Error Code in HEX: 0xC0000043
  • Meaning: STATUS_SHARING_VIOLATION
  • Possible Reason: Attempted open operation conflicts with an existing open

You can convert the Error code shown in DEC into HEX and afterwards taking a look into the following Microsoft Website: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/8f11e0f3-d545-46cc-97e6-f00569e3e1bc

 

If you see this event only a few times, anything should be fine. If you see the event multiple times over a longer time period, you need to take a deeper look. At this time it may also help to open a TAC case.

 

Feature Request

Get in contact with your Cisco representative. Your responsible Systems Engineer will open a Feature Request for you. Your Cisco representative can also check the status of your FR.