Verbose Event Log for AMP?

Solved
kordm
Getting noticed

Verbose Event Log for AMP?

We use ESET in our org, and updates are being blocked by AMP, however it is not generating events in the Security Center nor is it showing as filtered content in the Network Wide Event Log. Disabling AMP temporarily allows ESET to update successfully. Is there a way to see exactly what AMP is blocking, so I can whitelist the false positives?

 

I saw one event in the Security Center where communication with one of the ESET subdomains had flagged the download as "User-Agent known malicious user-agent string - Win.Trojan.Batlopma". I've added "eset.com" to the whitelisted URLs under AMP in the Threat Protection window, but that didn't do anything. ESET uses a hundred or so subdomains to deliver updates ... do I need to add ALL of those subdomains to the whitelist?

 

I'm having the same issue with AMP blocking updates to Google services on wireless devices ... whitelisting "1e100.net" had no effect. Neither did "*.1e100.net"

 

How can I identify and allow false-positives without disabling AMP?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

If you are not running 14.x code yet - upgrade to that.  It resolves a lot of the AMP issues.

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

If you are not running 14.x code yet - upgrade to that.  It resolves a lot of the AMP issues.

kordm
Getting noticed

Thanks Philip. My MX is running 13.33. I'll get that updated.

HScar
Here to help

Hi,

 

We are seeing AMP blocking websites and not logging as well. We are on 14.39. Nothing in Dashboard Event logs or syslogs.

 

An example website is espressif.com

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels