Hello @cpaquet, AMP4E uses 4 different types of caches to avoid multiple scanning fo files. AMP hashes files and does a lookup in the local cache. If it is already in the cache and the limits are not reached, AMP does not scan and also does no cloud lookup.             Cheers, Thorsten ... View more

Hello @abirajkwilson, for Threat Events and the naming, you can take a look here: https://www.talosintelligence.com/amp-naming Regarding other Events like ExPloit Prevention: What information you need? Or, what information you need to understand the Event?   Just to be sure, you want to have a longer description about any Threat Type? Which information in detail you are looking for. Maybe information how you should handle the information? Just trying to understand your needs.   Greetings, Thorsten     ... View more

Hello @tomalexis, yes, was a great experience. :-)   The warning says, if you want to remove Tetra and DFC completely, you have to use the installation switches. So the driver installation is skipped. I know, there might be troubles with DFC on servers with high network activity, so it makes sense to remove the driver as well. Finally, the goal is to activate all features as possible.   Greetings, Thorsten     ... View more

Hello @abirajkwilson, not 100% sure what you need in detail.   Cloud IOC: this is not a "static event". The endpoint monitors disk, process and network activity. This activity is processed in the AMP backend and generates the IOC Events. They are different to normal Threat Events. An IOC event indicates a problem with and endpoint you should investigate.   Pleas come back to me if yo have more questions.   Greetings, Thorsten ... View more

Hello @tomalexis, sorry for the delay, was on Business Trip until this weekend.   1) if I starting with alpha/beta deployment of server AMP - I will start in audit mode - do I then install DFC /tetra and see performance . AFAIK you have to manually uninstall AMP and then install it again without DFC/tetra to avoid if you detect a problem like high cpu ?? Answer: If you use the command /skiptetra the driver will not be installed. Therefore, if you want to activate Tetra at a later time, you have to reinstall the product. High CPU: most time high CPU comes from applications which are generating a high disk load. If you see high CPU even you disable Tetra you may have a driver conflict, which is extremly rare. Finally, installed components which are disabled using the policy normally do NOT generate and troubles, performance and functionality.   2) exploit prevention etc is disabled by default and even for servers its always set to audit mode - not protect ? can we turn on EP and also protect mode ? main concern from customer is that EP is not enabled and doesn't not make AMP very effective against buffer  flow and other attacks ? thoughts ? Answer: Tested with Customers/Partners where all Features are active without troubles. Audit mode, from my perspective, makes sense only during initi al testing. Starting in Audit mode so see any problems and activating the feature step-by-step makes sense.   3) are you seeing customers deploy EP, tetra, DFC, protect mode with servers ?  Answer: YES, have seen customers using all protection features from AMP4E on servers.   4) do other products follow the same principles like AMP4E when it comes to servers ?  Answer: Which other products do you mean. In other words, Servers acting different the endpoints, have other software installed and so on... but finally, most time, just another configuration is needed. Greetings, Thorsten         ... View more

Hello @tomalexis, i already heard about Server installations and deactivating AMP4E components.  Disabling DFC: Yes, if there is high network load on the server. You may also use DFC if there is a server with less network load. Tetra: The engine may need more resources if there are many files which have to be scanned. With the proper settings, you may also use Tetra on the server. Exploit Prevention: From my point of information, there was a problem with the engine in the past. Looks like, there was never a disclaimer for this. Have heard nothing about the need to disable exPrev Engine on Servers in the last year.   Hope this helps, Greetings, Thorsten ... View more

Hello @phonehome, yes, this ........ :-/ Can you please share the SHA256 hash of the file with me?? As a workaround, add the hash to the application whitelist and add an exclusion by SHA256.  I´m on a business trip until end of August. You may also open a TAC case for this. Would also be great to see a Screenshot of the event. Finally, to take a look in any way, i need at least the hash value of the file. Greetings, Thorsten ... View more

Hello @Steve Bellan, AMP does much more than only removing the a threat. Yes, we do it in real time, but also retrospective. We also restore a file fully automated from the quarantine. See some technical details below.   I wrote an answer to another topic, but explains the limitations of signature based engines. So we addressed this, and added much more capabilities to the endpoint and also to the backend: https://community.cisco.com/t5/advanced-threats/cisco-amp-for-endpoints-scan-removable-drives-upon-insertion/m-p/3899476/highlight/true#M1598   What we are doing, or, what we are doing more than traditional AV (some info, I´m not aware how familiar you are with AMP). We are monitoring file activity and process activity. We are monitoring network communication. We are monitoring   command line activity   for a process. All this information is automatically processed in the AMP backend and also calculates IOCs if there is just malicious behaviour/activity. Keep in mind, this also happens if the file just exists on the system for just a few seconds. This is also done, if the file is a known clean file.  If we figure out something bad, the AMP backend generates a retrospective alert.  Enclosed an overview about the Engines, Features and Integrations the Endpoint has.   There are new Engines and Features coming up this year, so stay tuned.... :-) You can also extend the endpoint capabilities with all the integrations we are providing. Hope this helps, Greetings, Thorsten     ... View more

Hello @J Hefner, yes, the file is fully automated restored based on the following two conditions. The file will be classified clean again you are adding the hash of the file to the Application Whitelist. After the next successful policy update, the file is automatically restored from quarantine. Greetings, Thorsten ... View more

Hello @EnverSingh7603, yes, you can/should use the Cisco Maintained exclusions. There are some points of view when installing AMP on a Server System. Network monitoring: If the server provides services with high network activity, you should not install the DFC (network monitoring) component. You can, but there can be troubles. So test it. Use the right exclusions. The Tray icon can only connect once to the sfc.exe process from AMP. So, if there are multiple logged on users, you should disable the Tray icon in the policy. Troubleshooting and determining the necessary exclusions. Exclude Applications with high disk activity. Exclude Application which are generating executable code. Take an eagle eye on development systems. ;-) you can enable Debug Logging and generating a diagnostic file. The diagnostic file can be checked with a tool, which you can download from Github: https://github.com/CiscoSecurity/amp-05-windows-tune  Here is a cool explanation from Luis Velazquez generating a Report as well. https://community.cisco.com/t5/advanced-threats/cisco-amp-100-usage-of-cpu/td-p/3877304 Hope this helps, Greetings, Thorsten ... View more

Hello @INF BWA, for official Roadmap info, please contact your Cisco Representative. Roadmap info can always change, so please use the official information procedure for this. Hope this helps, Greetings, Thorsten ... View more

Hello @Joshua Heath, we do not do an automated USB drive OnDemand Scan. This can also be very time and resource intensive, e.g. if you are using a Removeable Storage Device connected using USB 2.0. I know, audit guideline are important, but you may think about the following topics.   There are some interesting things about Signature based detection mechanism we should think about. An endpoint can hold millions of unknown files which have not been seen by any AV Vendor. We tested this. You can test this for your own. Just hash your files on a standard system and use the API from virustotal to compare. You will be surprised, how many completely unknown files exist on a system. Talos discovers approx. 5 billion unique hashes per week, so you cannot hold any available information in the AV signatures. Endpoint products do not a cloud lookup for any file (filetype), this is still not possible. Think about all the non PE files and so on. How about Memory Mapped Devices, which are directly mapped into the systems memory? New Code or maybe files used for a targeted attack are most time not covered by any AV Signatures.   What we are doing, or, what we are doing more than traditional AV (some info, I´m not aware how familiar you are with AMP). We are monitoring file activity and process activity We are monitoring network communication. We are monitoring command line activity for a process which is directly executed from Removeable Storage. All this information is automatically processed in the AMP backend and also calculates IOCs is there is just malicious behaviour. Keep in mind, this also happens if the file just exists on the USB drive for just a few seconds. This is also done, if the file on the Removeable Storage is a known clean file.  If we figure out something bad, the AMP backend generates a retrospective alert.  For Threat Hunting we need the behaviour information for known good files. Below you can see the monitored activity (process, file, network and command line) from a good file.   Hope this helps, Greetings, Thorsten   ... View more

Hello @Sekou DIOMANDE, Threatgrid at the moment does not support ICAP.    We are focusing using a standardized API for integration, which opens a broader range of integration. You can find more information here: https://developer.cisco.com/threat-grid/. Your Cisco Representative may also open a Feature Request for you. Which integration you need? Proxy Integration?   Greetings, Thorsten ... View more