Several months ago we bought into Cisco AMP for Endpoints. There was a lot of work right after that, so we set up the management account and put it aside. Months later, I felt a little awkward about it, so I thought I would devote my April to Cisco AMP for Endpoints.
I just uncorked my AMP for Endpoints account, for this post and going forward, when I write AMP, I mean Cisco AMP for Endpoints, because it’s a mouthful. AMP itself seemed forbidding and difficult, but then once I started working with the site, configuration wasn’t that bad. I decided to test AMP in my environment by starting a “Factory Fresh” copy of Windows 7 32-bit in VirtualBox on my Mac, with 4GB of RAM assigned to it. A standard humdrum little workstation model.
I downloaded a bunch of starter packs, including the “Audit” model, the weakest of them all. I installed it on the workstation and the site responded well enough, noticing the install. As I was working with the system, I noticed that AMP complained that the definitions were out of date on the client, so I went hunting for a “definition update” function. There isn’t anything the user can trigger, you have to wait for it. Oh, that’s not good.
So then I had AMP on the test machine and I thought I would try to infect it. So I found a copy of EICAR, which is a sample file that all these technologies are supposed to detect and find hazardous. Symantec Endpoint Protection (SEP) sees EICAR well enough, and really gets upset by it, immediately stuffing it into Quarantine and sending an alert. AMP also detected EICAR and because it was in Audit mode, just sat on its hands. Which I expected.
So then I found a bunch of sample malware files on a testing website, because while EICAR is useful for basic testing, it’s as relevatory as a knee-jerk reflex. It’s nice to know there is a reflex, but it’s not the same as an actual malware infection. I opened the ZIP file, typed in the password and all these malware samples came spilling out into the downloads directory. So, a workstation that is quickly becoming filthy. That’s my use-case for AMP.
So after “infecting” the computer with the files, and the tamest model, which is just to have them in a folder, I went to AMP and told it to switch the model on the test machine from Audit to Triage. That took almost twenty minutes! Are you for real on this, Cisco? Twenty minutes!!!
So I knew what I had on this workstation, but I pretended that I was the admin on the other side, with an unknown workstation connected, reclassified with Triage and waiting. I knew that the computer was infected, and as the admin, “not knowing what is going on” with the endpoint, I sent a scan command. This is the worst case scenario.
On the AMP side, I didn’t see anything at all. I panicked around looking for any hint that the AMP system recognized my scan request, and so I sent five more scan requests. Obviously, one scan request should have done it, but I wanted to make sure that I worked around even an imaginary screw-up in Cisco over scanning. Nothing. Workstation just plotzing along, infected files just sitting right there in the Downloads folder, just waiting for double-clicking end-user to make a tame infection a wild one.
Obviously this is the worlds worst scenario, one were SEP somehow is gone, not installed, or somehow lost its marbles, leaving AMP on its own to run defense. Scan! Scan! Scan! — Nothing at all. AMP just sits there just merrily SITTING THERE. Like shaking a coma patient, is very much what it felt like.
So then I started with the Help feature, request help, okay, I knew how this would go. This would lead to TAC. God help me. Cisco’s system didn’t know what AMP was, hahahahaha of course not. But there was a chat system in a teeny tiny little button, so I tried that. Someone! Hallelujah! They found my contract and linked it up, and started a case for me. When I went back to the test system, AMP had done it’s work. FINALLY. It only took twenty minutes! A lot can happen in twenty minutes. How many files could have been ransomware-encrypted in those twenty minutes?
So now I await a response from Cisco TAC. During the chat I declined the entire phone call angle since Cisco TAC people cannot speak English, or at least, I cannot understand their speech. So I told them that I would only communicate over email. So lets see what TAC has to say. We spent a lot of money on this, so obviously I’ll likely deploy it, but man, I am sorely disappointed in a system where every second counts. On reflection, Cisco AMP for Endpoints was probably a mistake.