Jeff Sniff
asked on
Cisco AMP and Malwarebytes
We run Cisco AMP in our environment and was wondering when I run Malwarebytes on some workstations, there are many Items that I need to quarantine that I think Cisco AMP should have captured or rejected? I'm running the free version of Malwarebytes. I also wanted to know if there's a solution I should consider as well. I believe we are stuck with Cisco AMP until license runs out, but have seen some questionable items with the malwarebytes.
ASKER
We do use the TETRA for windows. One of the problems we presently have is that since joining the company a few months ago, seems like everyone has admin rights, which obviously is a no-no in security and we're working through this now.
AMP works pretty well at least on the malware side. However I have seen in the cases of files with scripting in them, the false positive rate goes up pretty fast. For the most part we dont use TETRA since we had McAfee already, but it has been pretty solid.
ASKER
So our first line of defense is Cisco AMP, but again, sometimes this software does not always catch things. We normally go in to the machine when we receive an alert from AMP and then run Malwarebytes at that point, but in my opinion is that why does Cisco AMP not catch things in the first place.
To be fair, no product will catch everything. And Cisco doesn't pitch AMP as an AV replacement... yet.
Wait a sec, you're saying you're getting AMP alerts then using Malwarebytes? So what is AMP alerting on and what are you saying Malwarebytes catches that AMP does not?
I am also assuming you have machines in the Protect policy or a custom one?
Wait a sec, you're saying you're getting AMP alerts then using Malwarebytes? So what is AMP alerting on and what are you saying Malwarebytes catches that AMP does not?
I am also assuming you have machines in the Protect policy or a custom one?
ASKER
For example, the image below shows the settings presently on our machines. This a protected policy...
We have a daily flash scan and weekly full scan.
conviction-mode-_-Cisco-AMP.PNG
We have a daily flash scan and weekly full scan.
conviction-mode-_-Cisco-AMP.PNG
ASKER
The problem really occurs when we get alerted from within Cisco AMP where it either quarantines or not quarantines a file and then I go to the machine and run Malwarebytes. I sometimes witness multiple items within Malwarebytes that I'm not sure if Cisco AMP should have caught in the first place.
Another question:
Is anyone using Malwarebytes as a secondary check or have it installed on their network and if so, how is it being used? Is it run daily/weekly or how is it really setup? We have about 600 computer/laptops and curious about the whole process.
Another question:
Is anyone using Malwarebytes as a secondary check or have it installed on their network and if so, how is it being used? Is it run daily/weekly or how is it really setup? We have about 600 computer/laptops and curious about the whole process.
Could you give some examples?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Could you be more specific? Give some examples?