Meraki

Community

AMP not stopping EICAR and security center logging no events

mmzzaq
Here to help
3 hours ago
3 hours ago

AMP not stopping EICAR and security center logging no events

Hi,

 

We recently decommissioned our MX64 and upgraded to a MX75, running firmware 19.1.11. The new MX75 runs the Advanced Security license, i have verified this through Organization > License info. I have enabled AMP in Security & SD-WAN > Threat Protection and also enabled Intrusion detection and prevention > Mode: detection, Ruleset: Balanced. Further more I made sure that Network-wide > Configure > General > Traffic analysis > is set to Detailed: collect destination hostnames.

 

Whenever I download the malware testfile at https://www.eicar.org/download-anti-malware-testfile/ AMP doesn't block it and nothing is logged in Security & SD-WAN > Security center. Doesn't matter if I download the .txt, .com or .zip file. Note that the download is successful (i actually have the file on disk) and local AV is temporarily disabled. Also, whenever I perform a successful Nmap portscan to a working IP address in another VLAN, nothing is logged in Security & SD-WAN > Security center. 

 

Last, we don't have any other gateway or WAN link, so everything is running through MX75.

 

Anyone any idea why AMP doesn't block EICAR, why the portscans don't get logged in Security & SD-WAN > Security center and why nothing in general is logged in Security & SD-WAN > Security center? Security center screenshot: https://imgur.com/01lWCN1

0 Kudos
2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

Dude, I'll be honest with you. A few years ago, I ran a proof of concept with a customer using Meraki's AMP, and I had the most embarrassing experience of my life because AMP didn't block any of the tests we ran.

We involved Meraki at the time, and everything was fine, and they couldn't even explain what was happening.

In short, the customer didn't even proceed with the POC.

My advice: I wouldn't bet on Meraki when it comes to AMP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
mmzzaq
Here to help
3 hours ago
3 hours ago

Oh that doesn't sound assuring. When troubleshooting my issue, obviously I Googled a bit and I did find a post from a Meraki employee stating that an EICAR download should trigger AMP so I feel like something is not right but not 100% sure. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.