asked on

Cisco AMP for endpoints troubleshooting

I keep receiving these type of alerts within our Cisco AMP for endpoint protection software and need to know if these alert need to be whitelisted or not.

Please see below:

Alert #1
Detection: PUA.Win.Trojan.Generic::95.sbx.tg
Filename: Microstub.exe

Alert #2
Detection: Gen:Variant.Ulise.25092
Filename: Dell Printer Hub.exe

Most of the time, the AMP quarantine takes over, but at times, quarantine fails or is not seen.

Also, is there somewhere I can go and get some CBT's for Cisco AMP for endpoint protection? Or how to search/resolve for these types of alerts?

Steven Carnahan

Well Microstub.exe is part of Avast. See: https://www.freefixer.com/library/file/Microstub.exe-284450/

Cisco has a list of exclusions they recommend and for Avast:

Windows - Avast
•Path: CSIDL_WINDOWS\Temp\_avast5_
•Path: CSIDL_WINDOWS\Temp\_avast_

Taken from Cisco's site which has a very large list of recommended exclusions: https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html#anc25

I do not know about the Dell Printer Hub.exe one though.

masnrock

Which other antivirus is on your machine? And as Steven pointed out, make sure you do exclusions. But you're also going to need to potentially do executable exclusions as AMP for Endpoints has evolved its rules quite a bit.

Cisco and their partners do offer AMP for Endpoints training. However, it might not necessarily deep dive the way you're hoping for. Utilize their support for assistance.

This question needs an answer!

Become an EE member today

7 DAY FREE TRIAL

Members can start a 7-Day Free trial then enjoy unlimited access to the platform.

View membership options

Learn why we charge membership fees

We get it - no one likes a content blocker. Take one extra minute and find out why we block content.