Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6338
Views
6
Helpful
4
Replies

Using exclusions in AMP For Endpoint.

f.villadsen
Level 1
Level 1

‎06-16-2016 07:52 AM - edited ‎02-20-2020 09:01 PM

I’m preparing a number of PoV’s on AMP4E and wonder hos exclusions should be handled. According to the user guide (and the raining I have received) exclusions must be made on both AMP and the antivirus. It all make sense.

Never the less; I’m running AMP4E on my corporate laptop with Windows 7 and TrendMicro OfficeScan.  The AMP connector is version 4.4.0.10186  with exclusions for TrendMicro OfficeScan. No exclusions on the TrendMicro OfficeScan side made for AMP. I’ve installed AMP on similar conditions for testing.  Some of the AMP connectors are running in Audit mode, others in Protect mode, but they are all running with no problems at all.

What is the reason for this? Is exclusions on the antivirus only required when using specific Antivirus vendors (the user guide talks about McAfee, Symantec and Microsoft Security Essentials) or have I done something wrong?

4 Replies 4

keglass
Level 7
Level 7

‎07-06-2016 12:07 PM

Finn,

I recommend you check out this AMP forum in the Cisco Support Community for more information and feedback.

https://supportforums.cisco.com/community/12249516/advanced-malware-protection-amp

I hope this helps.

Kelli Glass

Moderator for Cisco Customer Communities

0 Helpful

f.villadsen
Level 1
Level 1
In response to keglass

‎07-27-2016 12:51 AM

Thanks. I will look for an answer there.

0 Helpful

schuang
Cisco Employee
Cisco Employee

‎08-03-2016 08:11 PM

Hi Finn,

One of the common things we see is anti-virus or other endpoint security software performing functions on a suspicious file.  E.g. quarantine.  Unless exclusions are defined on each software, you will potentially have a race condition and recursion; where Software A will quarantine a file into Directory A, Software B will pick this up and quarantine the file that was in Directory A into it's own quarantine Directory B and it goes into a bit of a loop chewing up resources.  I have heard that endpoint security signature definition files may sometimes trigger alerts on another tool depending on how they analyze the file.  It is recommended to always add exclusions for all potentially conflicting software applications.

best regards,

Shyue Hong

Troja007
Cisco Employee
Cisco Employee

‎10-16-2018 12:55 AM

Hello,

there have been many changes around the AMP connector, also the exclusion handling. Finally, if you have more than one security product installed on your endpoint, it is always a necessary to make the right exclusions. This means, Security Product A should include exclusions for Security Product B.
The problem is, when two products want to inspect something on the disk or in the memory. This often end in conflicts, which can be avoided with the right exclusions.

Cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents