Professional Documents
Culture Documents
• AMP for Endpoints connectors must be able to reach the AMP cloud (TCP 443 or TCP 32137) even through a
firewall or proxy.
• To start a free trial
• https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/demos.html
• Live instant demo: Secure Endpoint
• Login with your cisco free account, View Now
• Outbreak Control.
• Allows you to create lists that customize AMP for Endpoints to your organization’s needs.
• You can view the main lists from the AMP cloud console
SCOR Page 1
•
• You must click Save, or the hash will not be stored as part of your simple custom detection.
• Advanced custom detections offer many more signature types to the detection:
- File body-based signatures
SCOR Page 2
- File body-based signatures
- MD5 signatures
- MD5, PE section–based signatures
- An extended signature format (with wildcards, regular expressions, and offsets)
- Logical signatures
- Icon signatures
• To create an advanced custom detection.
• Outbreak Control > Custom Detections > Advanced,
• The android detections look for specific applications, and you build them by either uploading the app’s .apk
file or selecting that file from the AMP console’s inventory list.
• Use Android custom detections for two main functions:
• Outbreak control.
• You are using the detection to stop malware that is spreading through mobile devices.
• When a malicious app is detected, the user of the device is notified and prompted to uninstall it.
• Application control.
• You can also use custom detections to stop applications that you don’t want installed on devices in your
organization.
• Simply add apps to an Android custom detection list that you don’t want installed.
• IP Blacklists and Whitelists.
• You use an IP whitelist to define IPv4 addresses that should not be blocked.
• Traffic that matches entries in the blacklist are flagged or blocked
SCOR Page 3
• You name the list, choose whether it is a whitelist (IP Allow List) or a blacklist (IP Block List), and enter a
series of IPv4 addresses, one line at a time.
• Each line must contain a single IP or CIDR.
SCOR Page 4
• AMP for Endpoints Application Control
• Like files, applications can be detected, blocked, and whitelisted.
• AMP does not look for the name of the application but the SHA-256 hash.
• To create a new application control list for blocking an application.
• Outbreak Control > Application Control > Blocked Applications.
SCOR Page 5
• If you already have the SHA-256 hash, add it.
• Otherwise, you can upload one application at a time and have the AMP cloud console calculate the hash for
you, as long as the file is not larger than the 20MB limit.
• Exclusion Set.
•
SCOR Page 6
• A list of directories, file extensions, or even threat names that you do not want the AMP agent to scan and
ubsequently not convict as malware.
• Any files stored in a location that has been added to an exclusion set will not be subjected to application
blocking, simple custom detections, or advanced custom detections.
SCOR Page 7
• AMP for Endpoints is available for multiple platforms: Windows, Android, Mac, and Linux.
• To see the available connectors from the cloud console:
• Management > Download Connector.
SCOR Page 8
•
• You can configure different policies for each of the supported platforms.
• Management > Policies
SCOR Page 9
• A policy is applied to an endpoint via groups.
• Groups allow the computers in an organization to be managed according to their function, location, or other
criteria that is determined by the administrator.
• To create a new group
• Management > Groups.
SCOR Page 10
•
SCOR Page 11
•
• There are three detection and protection “engines” in AMP for Endpoints:
• TETRA.
• A full client-side antivirus solution.
• Do not enable the use of TETRA if there is an existing antivirus product in place.
• The default AMP setting is to leave TETRA disabled
• Consumes more disk space for signature storage and more bandwidth for signature updates.
• Spero.
• A machine learning–based technology that proactively identifies threats that were previously unknown.
• Can identify malicious software based on its general appearance rather than basing identity on specific
patterns or signatures.
• Ethos
• A “fuzzy fingerprinting” engine that uses static or passive heuristics.
• Uses automated created of generic signatures.
SCOR Page 12
• The AMP for Endpoints Overview dashboard, which displays the status of your environment and highlights
recent threats and malicious activity in your AMP for Endpoints deployment.
SCOR Page 13
•
SCOR Page 14