cancel
Showing results for 
Search instead for 
Did you mean: 

Verbose Event Log for AMP?

SOLVED
Here to help

Verbose Event Log for AMP?

We use ESET in our org, and updates are being blocked by AMP, however it is not generating events in the Security Center nor is it showing as filtered content in the Network Wide Event Log. Disabling AMP temporarily allows ESET to update successfully. Is there a way to see exactly what AMP is blocking, so I can whitelist the false positives?

 

I saw one event in the Security Center where communication with one of the ESET subdomains had flagged the download as "User-Agent known malicious user-agent string - Win.Trojan.Batlopma". I've added "eset.com" to the whitelisted URLs under AMP in the Threat Protection window, but that didn't do anything. ESET uses a hundred or so subdomains to deliver updates ... do I need to add ALL of those subdomains to the whitelist?

 

I'm having the same issue with AMP blocking updates to Google services on wireless devices ... whitelisting "1e100.net" had no effect. Neither did "*.1e100.net"

 

How can I identify and allow false-positives without disabling AMP?

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Verbose Event Log for AMP?

If you are not running 14.x code yet - upgrade to that.  It resolves a lot of the AMP issues.

2 REPLIES 2
Kind of a big deal

Re: Verbose Event Log for AMP?

If you are not running 14.x code yet - upgrade to that.  It resolves a lot of the AMP issues.

Here to help

Re: Verbose Event Log for AMP?

Thanks Philip. My MX is running 13.33. I'll get that updated.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.