Setting up AMP for endpoints is pretty straightforward as most of the configuration is already in place and administrators just need to fine tune those parameters that best fit into their organizations. The configuration fundamentals are:
- Application Control Whitelisting.
- Policies definition.
- Automatic Analysis Configuration.
- Download Connector.
So let’s start with the first step, defininf exclusions:
To avoid conflicts with other security solutions installed on the computers, like legacy AV and quarantined files, it is necessary to exclude the directory from the AMP inspection. Administrators can create multiple exceptions groups depending on the OS it is aimed to:
By default, the exceptions groups come with some predefined exclusions for the most popular solutions. In the case of the Windows OS there are 90 but the administrator can add custom ones. It is advisable to create your own exclusion set instead of changing the default ones so that you can perform rollbacks easier.
- Application Control Whitelisting:
For those in-house developed applications, administrators can create whitelisting application lists in order to avoid false positives due to low prevalence. Remember that low prevalence uncovers targeted threats that were only seen by a small number of users and automatically submit them to Threat Grid for further inspection. You can upload the executable of the SHA-256 hash associated to it:
- Policies definition:
Policies are the place for applying the final enforcement configurations and group all the previous exclusions. Again, it is strongly recommended to copy the default template policy for the desired OS and operational mode and then modify it your own.
By default, almost all the values can be kept as is, however there some that must be changed or it can impact the performance or even make the connector don’t connect to the cloud.
This is mandatory to avoid end users stopping the connector for any reason and leaving the computers unprotected.
With the aim of having the most transparent communication between the connector and the cloud, Cisco recommends to avoid the proxy. Anyhow, you can configure the proxy settings if your organization security policy forces to do it.
If your organization is running another AV solution you must disable the TETRA antivirus engine, otherwise it will negatively impact on the computers performance.
Groups are the elements that agglutinate the computers with the connector installed. Administrators select the type of policy that will be applied to the computers under this group and can manage multiple groups according to different needs.
Once the connector is deployed at the end stations, the “Computers” panel will populate automatically.
- Automatic Analysis Configuration
The automatic analysis configuration for low prevalence files is disabled by default. That means that those files that rarely appear in the organization will not be sent to the cloud automatically by the connector.
If the organization does not have compliance constraints sending the files to the cloud, it is strongly recommended to enable this functionality so you make the most of AMP for endpoints.
Administrators can activate the automatic analysis to separated groups, so you could even differentiate between departments dealing with sensitive information that should not be sent outside.
Low prevalence categorized files are shown in the “Prevalence” section and can be manually uploaded for further analysis if necessary.
- Download Connector
Finally, to deploy the connector, administrators need to download the .msi file for redistributing the installation. Choose the group previously created and check the “Flash Scan on Install” to check the processes that are currently running in memory.
Once the connector is deployed in the clients you should check that it successfuly connects to the cloud and retrieves the policy.