Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9141
Views
0
Helpful
4
Replies

Endpoint IOC documents?

Danielm77
Level 1
Level 1

‎03-18-2015 11:47 AM - edited ‎02-20-2020 08:59 PM

We're currently running the AMP for windows client. When I'm in the SourceFire web console and try to force or schedule a scan on endpoint clients I get a message that "There are no endpoint IOC documents activated."

I don't see how to resolve this in the user guide, or even what the endpoint ioc documents are.

Any suggestions on how to resolve this so we can push scans from the AMP web console out to user endpoints?

Thanks.  

1 person had this problem
Labels:
0 Helpful
4 Replies 4

adhogan
Level 1
Level 1

‎03-20-2015 06:47 AM

You upload IOCs to your AMP console. This will define what to look for in a IOC scan. This is support for the Open IOC standard - and is in addition to the normal protection AMP provides. 

There are example IOCs in the AMP documentation. You can also download Open IOCs from a number of security sites/forums.

But if you aren't familiar with Open IOC then this probably isn't the feature you are looking for. If you simply wish to schedule a full AMP scan you can set that up in your policy. 

0 Helpful

Danielm77
Level 1
Level 1
In response to adhogan

‎03-20-2015 07:30 AM

Thank you for your response. I'll dig into the IOC part, but what I'm really trying to do is force a remote scan of specific computers. I see now that you can schedule it in the policy as you mentioned but it would be for the whole policy. I could schedule then push the computer to it's own group with that policy. 

 

I was just figuring there was an option to go to a specific computer in the AMP console and push a flash or full scan immediately vs a whole group or scheduling it. 

0 Helpful

adhogan
Level 1
Level 1
In response to Danielm77

‎03-20-2015 08:10 AM

Oh sorry, yeah, there is a way. 

Go to Management > Computers. Use the search/filter stuff to find the host you're interested in. Click the plus sign on the left side of that computer to expand out information about that computer. At the bottom of that window you will see a Scan button. Click that, then choose flash or full and then click Start Scan. 

0 Helpful

Danielm77
Level 1
Level 1
In response to adhogan

‎03-20-2015 10:06 AM

Thanks, that might be the issue. I've started at that same screen each time, I think I'm having a connectivity issue because the scans aren't actually taking place from that screen. I'm being told now that some of the clients are saying they aren't connected... time to work out that issue instead! 

0 Helpful
Customers Also Viewed These Support Documents