Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3234
Views
8
Helpful
1
Replies

how to control endpoint AMP devices?

james.song1
Level 1
Level 1

‎11-18-2015 09:36 AM - edited ‎02-20-2020 09:00 PM

How to push the custom malicious file block policy to 5000 internal endpoint AMP devices?

1 Reply 1

schuang
Cisco Employee
Cisco Employee

‎11-18-2015 06:12 PM

Hi James,

To apply a custom list of files to be blacklisted, you can add the SHA-256 hashes of the files into a simple custom detection list and have that list applied to one or more groups of your internal endpoint AMP devices.  You can also create lists for Application (execution) Blocking.  Cisco AMP for Endpoints has a Retrospective Security capability that has Cisco AMP for Endpoints polling the AMP Cloud for what we call a retrospective queue at configurable periodic intervals and will automatically pick these up and retrospectively quarantine blacklist files previously or now seen on the endpoint.  As blacklisted applications are executed, they are now blocked.  During outbreak control situations, do take into consideration caching of file dispositions on the endpoints and if caches needs to be flushed for your operations.

Details can be found in "Outbreak Control" Chapter 3 of the AMP for Endpoints (FireAMP) User Guide:

https://immunet-janus-helpdoc.s3.amazonaws.com/FireAMPUserGuide.pdf

thanks and best regards,

Shyue Hong

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents