cancel
Showing results for 
Search instead for 
Did you mean: 

Verbose Event Log for AMP?

SOLVED
Getting noticed

Verbose Event Log for AMP?

We use ESET in our org, and updates are being blocked by AMP, however it is not generating events in the Security Center nor is it showing as filtered content in the Network Wide Event Log. Disabling AMP temporarily allows ESET to update successfully. Is there a way to see exactly what AMP is blocking, so I can whitelist the false positives?

 

I saw one event in the Security Center where communication with one of the ESET subdomains had flagged the download as "User-Agent known malicious user-agent string - Win.Trojan.Batlopma". I've added "eset.com" to the whitelisted URLs under AMP in the Threat Protection window, but that didn't do anything. ESET uses a hundred or so subdomains to deliver updates ... do I need to add ALL of those subdomains to the whitelist?

 

I'm having the same issue with AMP blocking updates to Google services on wireless devices ... whitelisting "1e100.net" had no effect. Neither did "*.1e100.net"

 

How can I identify and allow false-positives without disabling AMP?

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Verbose Event Log for AMP?

If you are not running 14.x code yet - upgrade to that.  It resolves a lot of the AMP issues.

3 REPLIES 3
Kind of a big deal

Re: Verbose Event Log for AMP?

If you are not running 14.x code yet - upgrade to that.  It resolves a lot of the AMP issues.

Getting noticed

Re: Verbose Event Log for AMP?

Thanks Philip. My MX is running 13.33. I'll get that updated.

New here

Re: Verbose Event Log for AMP?

Hi,

 

We are seeing AMP blocking websites and not logging as well. We are on 14.39. Nothing in Dashboard Event logs or syslogs.

 

An example website is espressif.com

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.