Cisco dCloud

AMP for Endpoints Basics Lab v1

Last Updated: 23-JAN-2019 dCloud: The Cisco Demo Cloud

About This Lab

The goal of this hands-on lab is to provide the basic skills and methodology required to successfully install and configure AMP for
Endpoints. By completing the included lab scenarios, you will deploy AMP for Endpoints in a simulated customer environment for
the fictitious “ABC Company.” The scenarios will walk you through the process of initial configuration of the solution, as well as
integrating AMP for Endpoints into the customer environment. This lab will give you the ability to become familiar with the
deployment of AMP for Endpoints prior to going onsite at a customer.

The scenarios and lab environment utilize virtual machines within dCloud and a dedicated AMP for Endpoints account in the AMP
cloud. At the end of the training lab, your “customer” will have a fully functional AMP for Endpoints deployment. Private AMP Cloud,
AMP for networks, and integration of those products is out of scope for this lab. Android and Mac endpoints are also out of scope
for this lab although several aspects of the deployment will apply to those endpoints.

The included series of lab scenarios are designed to be completed over a two-day consecutive period. It is possible to perform all
lab activities in a single day.

Day 1 Lab Scenarios: 1-11

Day 2 Lab Scenarios: 12-19 + Optional Challenge Lab

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 325
 Cisco dCloud

This AMP for Endpoints training includes the following Lab Scenarios:

dCloud: The Cisco Demo Cloud

About This Lab 1
Scenario 1. Reset AMP for Endpoints Lab Environment 5
Scenario 2. Pre-Deployment Configuration 20
Scenario 3. Create Audit Only Policies 31
Scenario 4. Create Groups 49
Scenario 5. Connector Deployment 54
Scenario 6. Application Testing - Audit Mode 80
Scenario 7. Create Protect Mode Policies 112
Scenario 8. Create Protect Mode Groups 121
Scenario 9. Protect Mode Transition 125
Scenario 10. Simple Custom Detections 130
Scenario 11. Vulnerable Applications 141
Scenario 12. Generating Whitelist Hashes 155
Scenario 13. Advanced Custom Detections 171
Scenario 14. Indications of Compromise (IOC) 208
Scenario 15. Troubleshooting 226
Scenario 16. Uninstallation 255
Scenario 17. Upgrades 270
Scenario 18. Operations 289
Scenario 19. API 298

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

Resources
For more information:

• AMP for Endpoint online documentation: https://console.amp.cisco.com/docs

• Cisco AMP for Endpoints product home: https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/tsd-products-

support-series-home.html

• Visit the Cisco dCloud help page: https://dcloud-cms.cisco.com/help

• Access all available Cisco dCloud content: https://dcloud.cisco.com

• dCloud Contact Us: https://dcloud-cms.cisco.com/help/contact-us-security

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 325
 Cisco dCloud

Topology
You will perform all tasks from a Windows 10 workstation named Jumphost in the dCloud environment. Throughout the
dCloud: The Cisco Demo Cloud
deployment, you will utilize Remote Desktop connections from the Jumphost machine to connect to the other Windows machines
within the lab environment. There is also a CentOS 7 server (named CentOS) in the lab environment that will have a connector
installed on it which will be also be utilized during Advanced Custom Detection (ACD) creation. You have the ability to connect to
the Jumphost system either through AnyConnect VPN, or the web based Remote Desktop connection located on your dCloud
session page. It is highly recommended that you do not connect to any machine other than the Jumphost directly.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 325
 Cisco dCloud

Scenario 1. Reset AMP for Endpoints Lab Environment

Due to the current design of AMP for Endpoints user accounts, and the dCloud lab environment, the settings and changes made
from previous classes must be removed from your instance of the AMP for Endpoints console. This lab willdCloud:
direct The
youCisco Demoto
on how Cloud

perform the steps required to prepare your AMP for Endpoints console for use in the lab.

Note: It is critical that you perform all steps in this scenario. Failure to do so will prevent you from successfully completing the labs.
When performing the cleanup processes, if you do not see an entry you are instructed to remove, it is likely that the previous
student did not configure that component and you may move on to the next step of the cleanup process.

1. Connect to the Jumphost system within dCloud via Web Client or by using the designated VPN/RDP credentials.

2. Open the Chrome web browser by double-clicking the shortcut on the desktop of the Jumphost machine

3. Click the AMP for Endpoints Console shortcut located just beneath the URL bar at the top left of the Chrome browser.

4. If you receive the certificate error shown below, click the ADVANCED button and then select the option to Proceed to
198.18.134.139. This error is due to the way SSO authentication is setup within the dCloud lab environment.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. You will be automatically logged in to the AMP for Endpoints console without entering a username or password.

a. If you are prompted with a security or certificate error, please continue past the error to load the console page.

6. There may be messages at the top of the AMP Console. If so, 1 by 1, click the X on each message to close it. There may
be several to clear.

7. Click the Management menu and select the Computers menu item.

a. Place a checkmark in the box next to every computer listed on the Computers page. Your entries may be
different than shown, or you may even see no entries at all.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 325
 Cisco dCloud

b. Once all computers have been selected from the list, click the Delete button, and choose Delete again from the
pop-up window.

c. There should no longer be any computers listed on the Computers page. dCloud: The Cisco Demo Cloud

8. Click the Management menu and select the Groups menu item.

a. The current list of groups will display. You will now delete all groups that start with the letters ABC. Do Not delete
any other groups from the console. For every group prefixed by ABC, click the Delete button next to the group.

b. Verify that you are only deleting a group that begins with ABC, then click OK on the Delete Group window.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

c. Continue deleting groups until no groups remain that start with the characters ABC.

9. Click the Management menu and select the Policies menu item.

a. The current list of policies will display.

b. For each policy that begins with the letters ABC, click the plus symbol on the policy to expand it, and then click
the Delete button in the bottom right corner.

c. On the Delete Policy window, after verifying it is an ABC policy, click the Delete button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

d. Repeat this process to delete all policies that begin with the letters ABC.

10. Click on the Management menu and select the Exclusions menu item.

a. For each exclusion set on this page that starts with the letters ABC, click the plus sign (+), then click the Delete
button associated with that exclusion set, and then confirm the deletion by clicking Delete in the pop-up window..

b. Repeat this process to delete all exclusion sets that begin with the letters ABC.

11. Click the Accounts menu and select the API Credentials menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 325
 Cisco dCloud

a. Place a checkmark next to all entries on the API credentials page and click the Delete button.

dCloud: The Cisco Demo Cloud

b. On the Delete API Credential window, click the Delete button.

c. There should now be no remaining API credentials in the list.

12. You will now verify that Demo Data is not enabled. Click the Accounts menu and select the Demo Data menu option.

a. You should see the following screen asking if you would like to enable demo data. Do NOT click the Enable
Demo Data button. If you see the below screen, demo data is not enabled, and you may continue the lab steps.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

b. If you see the following screen, then demo data is enable and must be disabled. Click the Disable Demo Data
button.

13. Click the Outbreak Control menu and select the CUSTOM DETECTIONS > Simple menu item.

a. Click the Delete button for any entries on this page that begin with the letters ABC.

b. On the Warning window, click the Delete button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

14. Click the Outbreak Control menu and select the CUSTOM DETECTIONS > Advanced menu item.

a. Click the Delete button on all entries in Custom Detections - Advanced.

b. On the Warning window, click the Delete button.

15. Click the Outbreak Control menu and select the APPLICATION CONTROL > Blocking menu item.

a. Click the Delete button on any entries that begin with the letters ABC.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

b. On the Warning window click the Delete button.

16. Click the Outbreak Control menu and select the APPLICATION CONTROL > Whitelisting menu item.

a. Click the Delete button for any entries that begin with the letters ABC.

b. On the Warning window click the Delete button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 325
 Cisco dCloud

c. After you click Delete on the whitelist, it may not immediately go away in the console due to the amount of
hashes it is processing the deletion for. Continue with the lab.

17. Click the Outbreak Control menu and select the NETWORK > IP Blacklists & Whitelists menu dCloud:
option.The Cisco Demo Cloud

a. Click the Delete button for all entries on the Network - IP Blacklists & Whitelists page.

b. On the Warning window, click the Delete button.

18. Click the Outbreak Control menu and select the menu item ENDPOINT IOC > Installed Endpoint IOCs.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

a. Place a checkmark next to each entry on the page(right side of the page), click the Actions menu, and select
the Delete menu item.

b. On the Delete Confirmation window click the Delete button.

19. Click the Analysis menu and select the File Repository menu item.

a. Click the plus symbol to expand any entries in the file repository and click the Remove button on each entry.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

b. On the Are you sure window, click the OK button.

20. You will now delete any saved Event Filters.

21. Click the Analysis menu and select the Events menu item.

a. The Events page appears.

b. Click the Select a Filter drop-down menu in the top right corner of the events page and select one of the entries
on the menu.

c. If you receive the You have unsaved changes warning at any time during this scenario you may click the
Discard Changes button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

d. The event filter you chose is applied to the view.

e. Click the Delete button.

f. When prompted to delete the filter click the Delete button.

g. The filter is deleted. Repeat the above process until all remaining Event Filters are removed.

h. Once all event filters are deleted your drop-down menu should appear as shown below.

22. Click the Accounts menu and select the Business menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 325
 Cisco dCloud

a. The Business settings page appears. Notice that there is a section for Default Product Versions

b. The setting should be set to Latest. If the Default Product Versions section looks like the screenshot below and
has the value Latest shown then you may go to the end of this scenario. If there are anydCloud:
version numbers
The Cisco Demo Cloud

specified, please follow the below steps to make changes

i. Click the Edit button in the upper right-hand corner of the screen.

ii. Locate the Windows section on the page.

iii. Click the drop-down menu for the Default Connector Version and change the value to Latest.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

iv. Click the Update button after changing the Default Connector Version.

v. Verify that the Default Product Versions section has updated to Latest. If any other product versions
besides Windows have a specific version specified, please use the above steps to change the value to
Latest.

You have completed the clean-up steps required to prepare your AMP for Endpoints console for the following lab scenarios. This
activity is for dCloud lab purposes only and would not be a part of a typical customer deployment. Please proceed with the
following scenario to get started on deploying AMP for Endpoints.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 325
 Cisco dCloud

Scenario 2. Pre-Deployment Configuration

There are configuration steps that should be performed in the AMP for Endpoints console before installing any Connectors in the
dCloud:
customer environment. You will now go through the process of creating Exclusion Sets, Policies, Groups, and Theitems
other Cisco Demo Cloud
that are
required prior to installing the connector on the customer endpoints.

Note: In a POV, or small environment, the default exclusions, policies, and groups may be used. However, in larger environments,
where there are multiple types of machines, or if the requirement exists to manage multiple instances of workstations or servers
with unique sets of exclusions, groups, and/or policies, you will be required to create, and configure, these items manually. During
the following labs, you will go through the procedure of creating required objects for the customer without utilizing the default
objects. This method is used to best familiarize yourself with the overall process and allow for the most flexible deployment.

Note: In the labs, you will be using a prefix for every configuration item you create. This is so you can distinguish your objects from
the default items already existing within the AMP for Endpoints console. In this lab, the prefix used is “ABC,” which is derived from
our fictitious company utilized during the implementation scenarios you are performing. This is a best practice to simplify identifying
custom configuration vs. default configuration.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 325
 Cisco dCloud

Create Exclusion Sets

Your customer has indicated that they currently utilize IBM BigFix for patch deployment and systems management tasks. You
dCloud: The Cisco Demo Cloud
will now create exclusion sets appropriate for the BigFix application. You will also review the Cisco managed exclusions to aid
you in future deployments.

1. Return to the AMP for Endpoints Console in Chrome.

2. Ensure you are logged into the AMP for Endpoints Console.

3. Select the Management menu and select the Exclusions menu item.

4. The Exclusions page will now appear. Click on the + New Exclusion Set button.

Note: You will be creating exclusion sets that can be attached to multiple policies.

5. Click the Select Product dropdown menu and select Windows from the OS choices.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Click the Create button

7. In the Name field, enter ABC - BigFix Client Exclusions

8. Click the Add Multiple Exclusions button.

9. Enter the following values with each on a separate line of the window.

a. CSIDL_PROGRAM_FILESX86\BigFix Enterprise\BES Client

b. CSIDL_PROGRAM_FILESX86\BigFix Enterprise\BES Relay

c. CSIDL_LOCAL_APPDATA\BigFix

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. Click the Add Exclusions button.

11. You will be taken back to the New Exclusion Set window with the multiple values you entered shown in the exclusion list.

12. An exclusion set cannot be saved with a blank entry. When a new exclusion set is created, a blank entry is created as
well. Click the trash can icon near the blank entry at the top of the list to remove it.

13. Click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

14. You will receive a message that the exclusion set was created successfully. Notice at this time the exclusion set is not in
use by any policies or groups.

15. Click the left arrow icon to return to the exclusion sets screen

16. Create another Exclusion Set by clicking the + New Exclusion Set button.

17. Click the Select Product dropdown menu and select Windows from the OS choices.

18. Click the Create button

19. In the Name field, enter ABC - BigFix Server Exclusions

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

Note: The servers in our customer environment could possibly have the BigFix software installed on different drive letters, and
not just the C: drive. You will therefore be using wildcard exclusions to ensure differences in the configuration of the software
within the customer environment are taken into account such that the exclusions work in all cases.

20. Click on the drop-down menu next to the blank entry and choose the Wildcard menu item.

21. Enter *\Program Files (x86)\BigFix Enterprise\BES Server\* as the text for the exclusion.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 325
 Cisco dCloud

22. Click the + Add Exclusion button 3 times to insert 3 new blank lines.

dCloud: The Cisco Demo Cloud

a. 2nd Entry:

i. Exclusion Type = Wildcard

ii. Exclusion Entry = *\Program Files (x86)\BigFix Enterprise\BES Relay\*

b. 3rd Entry:

i. Exclusion Type = Wildcard

ii. Exclusion Entry = *\Program Files (x86)\BigFix Enterprise\BES Client\*

c. 4th Entry:

i. Exclusion Type = Path

ii. Exclusion Entry = CSIDL_LOCAL_APPDATA\BigFix

d. Once all 4 entries are added, as shown below, click Save.

23. Your exclusion values are now added to the exclusion set and you have successfully added the required exclusions for
BigFix to both the workstation and server exclusion sets.

Note: You have successfully created exclusion sets for an application in the customer environment that is not a part of the Cisco
default exclusions. Remember that an exclusion set must have at least one exclusion in order to be created and that multiple
exclusion sets may be attached to a single policy. During the initial phases of a deployment you may not have any paths identified
that need to be excluded for certain endpoint types (Mac’s, Linux, etc.). Policies for those endpoint types may not have any

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 325
 Cisco dCloud

exclusions attached or may just have the Cisco default entries. You can always create a custom exclusion set and attach it at a
later time.

dCloud: The Cisco Demo Cloud

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 325
 Cisco dCloud

Simple Custom Detection

You will now create a Simple Custom Detection as a placeholder so that file hashes can be blocked with this list in the future. This
dCloud: The Cisco Demo Cloud
list of hashes can be used by one or more policies. For the customer in our lab, will use a common Simple Custom Detection
amongst all the policies in this deployment.

1. Click the Outbreak Control menu and select the CUSTOM DETECTIONS > Simple menu item

2. The Custom Detections - Simple screen will now appear. Click the Create button.

3. In the Name field enter ABC - Quarantine List and click the Save button.

4. The ABC - Quarantine List Simple Custom Detection now appears in the list. Notice that it is not yet tied to any policies
and does not have any file entries in the list. We are creating this Simple Custom Detection at this time, so it can be
referenced in the Policy configuration we are about to create. It will be edited later in the deployment when we desire to
block specific files.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 325
 Cisco dCloud

Application Control
You will now create both the Application Control Blocking and Whitelisting lists, so they may be used later in the deployment.
dCloud: The Cisco Demo Cloud
These must be created prior to Policies so they can be referenced during Policy configuration.

1. Click the Outbreak Control menu and select the APPLICATION CONTROL > Blocking menu item

a. The Application Control - Blocking page will now appear. Click the Create button.

b. In the Name field, enter ABC - Application Block List and click the Save button

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 325
 Cisco dCloud

c. You will now see the ABC - Application Block List that was just created.

dCloud: The Cisco Demo Cloud

2. We will now add our Whitelist. Click the Outbreak Control menu and select the APPLICATION CONTROL > Whitelisting
menu item

a. The Application Control - Whitelisting page will now appear. Click the Create button.

b. In the Name field enter ABC - Application Whitelist and click the Save button.

c. You will now see the ABC - Application Whitelist that was created.

You have created the objects in the AMP for Endpoints console that are required items before creating policies and groups. Now
that you have created the exclusion sets, Simple Custom Detection list, and application whitelist items you may now proceed to
create the policies in the console.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 325
 Cisco dCloud

Scenario 3. Create Audit Only Policies

You will now go through the process of creating policies in the AMP for Endpoints console. You will create a policy per endpoint type
dCloud: The
in Audit mode. A policy controls what exclusions are applied to a connector, if the machine is in Audit or Protect Cisco as
mode, Demo Cloud
well as
several other settings. It can be beneficial to have several policies to allow granularity for customer endpoint types (Windows end
user devices, Windows Servers, Linux Servers, Macs, etc.), or to allow for different configurations to be applied to varying systems
for regulatory or audit purposes.

Windows Endpoint Audit Mode Policy

1. Click the Management menu and select the Policies menu item.

2. The Policies page will appear along with some of the built-in policies that are created in the console by default. Click the +
New Policy button.

3. The New Policy box will appear. Click the Select Product dropdown menu and select the Windows product.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

4. Click the New Policy button

5. The New Policy page appears. You will now customize the policy settings.

6. Complete the Modes and Engines section of the policy configuration by entering in the values listed below:

a. Name: ABC - Windows Endpoint Audit

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 325
 Cisco dCloud

b. Description: Audit mode policy for Windows desktops and laptops utilized by end users

c. Files: Audit
dCloud: The Cisco Demo Cloud
d. Network: Audit

e. Malicious Activity Protection: Audit

f. System Process Protection: Disabled

g. Detection Engines - TETRA: Checked

h. Detection Engines - Exploit Prevention: Checked

7. Scroll down if necessary, click the Next button, and the form will move ahead to the Exclusions section

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 325
 Cisco dCloud

Note: Notice that you can attach multiple exclusion sets from the Cisco-Maintained Exclusions as well as Custom Exclusions that
you have created. The Microsoft Windows Default exclusion set is pre-selected for you.
dCloud: The Cisco Demo Cloud

8. Click the dropdown menu button under Cisco-Maintained Exclusions that currently says None Selected

9. You will see a list of exclusion sets that Cisco has prebuilt and a way to search those existing exclusion sets

10. During project planning phase, your customer stated that they are running Symantec Endpoint Protection and Windows
Defender on some machines in the environment. You will now search for those exclusions and add them to the policy
configuration.

11. Type Symantec in the Search field and place a checkmark in the Symantec Endpoint Protection entry.

12. Type Windows Defender in the Search field and place a checkmark in the Windows Defender entry.

13. All required Cisco-Maintained Exclusions for this customer have been added, you will now add in the custom exclusion
set you created earlier.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

14. Click the dropdown menu button under Custom Exclusions that currently says None Selected

15. Place a checkmark in the ABC – BigFix Client Exclusions entry. You have completed attaching exclusions to the policy.

16. Click the Next button and the form will move ahead to the Proxy settings.

17. On the Proxy configuration page, leave the default value of None as the proxy type.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

18. Click the Outbreak Control menu on the left side of the page and configure the settings based on the values below:

a. Custom Detections - Simple: ABC - Quarantine List

b. Custom Detections - Advanced: None

c. Application Control - Whitelisting: ABC - Application Whitelist

d. Application Control - Blocking: ABC - Application Block List

e. When finished, your policy settings should match those shown below.

19. Click the Advanced Settings menu on the left side of the screen and review the settings on the Administrative Features
sub-menu. No changes are currently required on this page.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

20. Click the Client User Interface sub-menu of Advanced Settings on the left of the screen and review the settings. No
changes are currently required on this page.

21. Click the File and Process Scan sub-menu of Advanced Settings on the left side of the screen and configure the
settings based on the values below:

a. Monitor File Copies and Moves: Checked

b. Monitor Process Execution: Checked

c. Verbose History: Unchecked

d. On Execute Mode: Passive

e. Maximum Scan File Size: 50 MB

f. Maximum Archive Scan File Size: 100 MB

g. Do not click Save yet

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Click the Cache sub-menu of Advanced Settings on the left side of the screen and review the settings. No changes are
needed on this page.

23. Click the Engines sub-menu of Advanced Settings on the left side of the screen and review the settings. No changes
are needed on this page.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

24. Click the TETRA sub-menu of Advanced Settings on the left side of the screen and review the settings. No changes are
needed on this page.

25. Click the Network sub-menu of Advanced Settings on the left side of the screen and configure the settings based on the
values below

a. Enable Device Flow Correlation: Checked

b. Detection Action: Audit

c. Blacklist Data Source: Custom and Cisco

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

26. Click the Scheduled Scans sub-menu of Advanced Settings on the left side of the screen and review the settings. No
changes are needed on this page.

27. Click the Save button to save the changes you have made to the new policy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 325
 Cisco dCloud

28. You have now created a Windows Endpoint Audit Policy. You will now create additional Audit Mode policies required for
this customer deployment.

dCloud: The Cisco Demo Cloud

Note: Notice that when making changes to a default setting within a policy, the circle with a white “i” (information) changes its color
to blue to signal that you have changed this from its default value. This is just for informational purposes to denote custom vs.
default settings.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 325
 Cisco dCloud

Windows Server Audit Mode Policy

We will now continue building the required policies for our deployment by creating a Windows Server AuditdCloud:
policy.The Cisco Demo Cloud

1. On the Management > Policies page, click the + New Policy button.

2. The New Policy box will appear. Click the Select Product dropdown menu and select Windows.

3. Click the New Policy button

4. The New Policy page appears. You will now customize the policy settings.

5. Complete the Modes and Engines section of the policy configuration by entering in the values listed below

a. Name: ABC - Windows Server Audit

b. Description: Audit mode policy for Windows servers that are not Active Directory servers

c. Files: Audit

d. Network: Disabled

e. Malicious Activity Protection: Disabled

f. System Process Protection: Disabled

g. Detection Engines - TETRA: Unchecked

h. Exploit Prevention: Unchecked

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Click the Next button

7. On the Exclusions page ensure that you have the following exclusions attached (Attach what is missing if necessary)

a. Cisco-Maintained

i. Microsoft Windows Default

ii. Symantec Endpoint Protection

iii. Windows Defender

b. Custom Exclusions

i. ABC - BigFix Server Exclusions

8. Click the Next button

9. On the Proxy configuration page leave the default value of None as the proxy type.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. Click the Outbreak Control menu on the left side of the page and configure the settings based on the values below.

a. Custom Detections - Simple: ABC - Quarantine List

b. Custom Detections - Advanced: None

c. Application Control - Whitelisting: ABC - Application Whitelist

d. Application Control - Blocking: ABC - Application Block List

11. Your Outbreak Control settings should match those shown below:

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 325
 Cisco dCloud

12. Click the Advanced Settings menu on the left of the screen.

13. Select the File and Process Scan sub-menu

dCloud: The Cisco Demo Cloud
14. On the File and Process Scan window, configure the settings based on the values below:

a. Monitor File Copies and Moves: Checked

b. Monitor Process Execution: Checked

c. Verbose History: Unchecked

d. On Execute Mode: Passive

e. Maximum Scan File Size: 50 MB

f. Maximum Archive Scan File Size: 100MB

15. Click the Save button to save the changes you have made to the new policy.

16. You have now created our ABC - Windows Server Audit policy. You will now create additional Audit Mode policies
required for the deployment.

Note: As referenced in the “AMP for Endpoints Deployment Strategy” guide, for servers that require a high number of network
connections such as SQL, Exchange, or large file servers, it is recommended to disable DFC (Device Flow Correlation). These
servers could be placed in a separate policy that has this setting configured.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 325
 Cisco dCloud

Linux Server Audit Mode Policy

We will now create a Linux Audit policy for our deployment. dCloud: The Cisco Demo Cloud

1. On the Policies page click the + New Policy button.

2. The New Policy box will appear. Click the Select Product dropdown menu and select the Linux product.

3. Click the New Policy button

4. The New Policy page appears. You will now customize the policy settings.

5. Complete the Modes and Engines section of the policy configuration by entering in the values listed below

a. Name: ABC - Linux Server Audit

b. Description: Audit mode policy for Linux servers

c. Files: Audit

d. Network: Disabled

e. Detection Engines - ClamAV: Unchecked

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Click the Next button

7. On the Exclusions configuration page, since we have not yet created a Linux Exclusion list, we can click Next and leave
the default setting on this page.

8. On the Proxy configuration page leave the default value of None as the proxy type.

9. Click the Outbreak Control menu on the left side of the page and configure the settings based on the values below.

a. Custom Detections - Simple: ABC - Quarantine List

b. Custom Detections - Advanced: None

c. Application Control - Whitelisting: ABC - Application Whitelist

d. Application Control - Blocking: ABC - Application Block List

10. Click the Advanced Settings menu on the left of the screen.

11. Select the File and Process Scan sub-menu

12. On the File and Process Scan window configure the settings based on the values below

a. Monitor File Copies and Moves: Checked

b. Monitor Process Execution: Checked

c. On Execute Mode: Passive

d. Maximum Scan File Size: 50 MB

e. Maximum Archive Scan File Size: 100MB

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

13. Click the Save button to save the changes you have made to the new policy.

14. You have now created the ABC - Linux Server Audit policy.

Note: You have successfully created policies for Windows Endpoints, Windows Servers, and Linux Server connectors. You will
now create Groups that will allow AMP for Endpoint Connectors to be managed within a logical container and have policy applied
to them.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 325
 Cisco dCloud

Scenario 4. Create Groups

You will now go through the process of creating groups for your connectors in the console. AMP for Endpoint Connectors are
dCloud:
associated with a Group, which then is tied to a Policy, which then applies various exclusions, block, whitelists, The Cisco Demo
UI settings, Cloud
and other
configuration parameters. Groups also allow for similar functional types of machines to be put in a container for reporting purposes
if desired. In this deployment, you will be creating groups for each of the functional types of devices the ABC customer has in their
environment. Audit mode groups will be created at this point in the deployment. Protect mode groups will be created later. Once the
audit mode groups are created, you will be ready to deploy the Connector software to various endpoints at the customer.

The customer has Windows desktop endpoints, Windows application servers, and Linux application servers. Within the Windows
desktop endpoints there are several functional types of machines. Machines that are subject to certain regulatory or compliance
rules such as PCI or HIPAA will be managed via a separate group structure for management and reporting purposes. As the
deployment progresses, more groups could be created to manage additional types of endpoints separately from the main groups we
will be working with currently.

Windows Endpoint Audit Mode Group

We will now create a group for Windows Audit Mode systems.

1. Click the Management menu and select the Groups menu item.

2. Click the Create Group button.

a. In the Name field enter ABC - Windows Endpoints Audit

b. In the Description field enter Group to manage Windows endpoint devices in Audit mode

c. In the Windows Policy field choose the ABC - Windows Endpoint Audit policy item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

3. Leave all other settings at the default values and click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 325
 Cisco dCloud

Windows Compliance Audit Mode Group

We will now create a group for Windows Compliance based systems that are in Audit mode. dCloud: The Cisco Demo Cloud

1. Ensure you are on the Groups configuration page. Click the Create Group button.

a. In the Name field enter ABC - Windows Compliance Audit

b. In the Description field enter Group to manage Windows endpoint devices that fall under Compliance
regulations in Audit mode

c. In the Windows Policy field choose the ABC - Windows Endpoint Audit policy item.

2. Leave all other settings at the default values and click the Save button.

Note: The group you just made for customer Compliance systems is using the policy you previously created for Windows
Endpoints in Audit mode. The systems that are members of the ABC - Windows Endpoints Audit group and systems that are
members of the ABC - Windows Compliance Audit group will have the same configuration applied to them at this point (same
exclusions, audit/block settings, user interface settings, etc.) but can be managed separately for reporting purposes.
Additionally, at a later time, the policy settings could be changed to a different policy if the configuration of these machines
needed to be separate from the ABC - Windows Endpoint Audit group systems.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 325
 Cisco dCloud

Windows Server Audit Mode Group

We will now create a group for Windows Servers in Audit mode. dCloud: The Cisco Demo Cloud

1. Ensure you are on the Groups configuration page. Click the Create Group button.

a. In the Name field enter ABC - Windows Server Audit

b. In the Description field enter Group to manage Windows servers in Audit mode

c. In the Windows Policy field choose the ABC - Windows Server Audit policy item.

2. Leave all other settings at the default values and click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 325
 Cisco dCloud

Linux Server Audit Mode Group

We will now create a group to manage our Linux servers that are in Audit mode. dCloud: The Cisco Demo Cloud

1. Ensure you are on the Groups configuration page. Click the Create Group button.

a. In the Name field enter ABC - Linux Server Audit

b. In the Description field enter Group to manage Linux servers in Audit mode

c. In the Linux Policy field choose the ABC - Linux Server Audit policy item.

2. Leave all other settings at the default values and click the Save button.

Note: You have successfully created groups for the devices you will deploy the AMP for Endpoints Connector to in Audit mode.
You will now deploy the Connector to various types of endpoints within the customer deployment.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 325
 Cisco dCloud

Scenario 5. Connector Deployment

You will now install the AMP Connector software on various types of endpoints in the customer environment. You will utilize a
manual interactive install on Windows, a command-line silent installation on Windows, and a command-linedCloud:
silentThe Cisco Demo
installation onCloud
Linux. The manual installation will familiarize you with installing on a small test environment, or “one-off” machines, while the
command-line installations will be beneficial when working with customers that will be deploying the AMP for Endpoints Connector
application via a software deployment solution such as Microsoft System Center Configuration Manager (SCCM), or IBM BigFix.

Note: IMPORTANT!!! The following steps are to be completed on the machines in the dCloud lab environment ONLY!

DO NOT perform the connector installation on any systems outside of the dCloud lab environment. Ensure you are connected to
the Jumphost machine in the dCloud environment through AnyConnect or the dCloud web-based RDP connection before
continuing.

Windows Endpoint - GUI

You will now perform the installation of the AMP for Endpoints Connector on the Wkst1 machine using the GUI installation process.
You will login to the AMP for Endpoints Console first to obtain the URL for the Connector download, then download the connector
on the Wkst1 machine using the link.

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

2. Click the Management menu and select the Download Connector menu item.

3. The Download Connector screen now appears prompting you to Select a Group.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 325
 Cisco dCloud

4. Click the Select a Group dropdown menu and select the ABC - Windows Endpoints Audit group.

dCloud: The Cisco Demo Cloud

5. In the Windows section, ensure both the Flash Scan on Install and Redistributable checkmark boxes are checked.

Note: Checking the Redistributable box means that the installer can be used offline and does not need to download installation
files from the cloud. The Redistributable option would be required for most software deployments and eliminates many
potential issues associated with downloading installation files on-demand at installation time.

6. Click the Show URL button in the Windows section of the page.

7. You will now see the URL that can be used to download the Connector for the Windows Endpoint machines. Click the
Copy URL button to copy the URL into the clipboard so you can paste it later.

8. On the desktop of the Jumphost machine (you may need to minimize Chrome to see the desktop), double-click on the
Remote Desktop Connection shortcut for the Wkst1 computer

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

9. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

10. Open the Chrome web browser by double-clicking the shortcut on the desktop of the Wkst1 machine

11. Paste the URL copied from the AMP for Endpoints Console in the previous step in the address bar of the browser and
press the Enter key.

12. The setup file will begin to download. Once the file has downloaded you should see it appear in the lower left corner of the
Chrome browser.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 325
 Cisco dCloud

13. Click on the downloaded file “ABC_-_Windows_Endpoints_Audit_FireAMPSetup.exe” in the lower left of the browser
to launch the setup process.

14. If you are presented with a User Account Control window prompt, click the Yes button to proceed dCloud:
with theThesetup process.
Cisco Demo Cloud

15. When prompted for the Install Location take the setup defaults and click the Install button.

16. The setup process will now begin. This may take a few minutes to complete.

17. Once the installation has been completed you should receive the following notification. Click the Next button to proceed.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

18. Place a checkmark in the Create Desktop Shortcut checkmark box and click the Close button.

19. The Cisco AMP for Endpoints user interface will now display. The status should say Connected.

20. Notice the AMP4E system tray icon (blue circle) on the remote desktop computer tray in the lower right of the screen near
the date and time. You may need to click the Show Hidden Icons up-arrow to have the system tray icons appear.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

21. The installation appears to be successful and the AMP4E Connector appears to be running. We will investigate the
installation status more in depth during later Connector installs. You will now verify the Connector appears in the AMP4E
console.

22. Disconnect from your Remote Desktop session with the WKST1 machine by clicking the X on the blue bar at the top of
the screen.

23. Return to the AMP for Endpoints console window running in Chrome on the Jumphost machine in dCloud. Click the
Management menu and select the Computers menu item.

24. The WKST1 machine should now appear in the list of Computers. You may click the plus symbol next to the computer
name to expand the entry and view more details about the computer.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

25. The WKST1 computer has successfully had the AMP for Endpoints Connector installed and you have verified that it is
connecting to the AMP for Endpoints Console. You will now perform an installation for an additional Windows Workstation
endpoint.

26. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst2
computer

27. You should automatically be logged onto the Wkst2 machine. You can verify that you are logged into the Wkst2 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

28. Open the Chrome web browser by double-clicking the shortcut on the desktop of the Wkst2 machine

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 60 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

29. Paste the same Connector Download URL copied from the AMP for Endpoints Console previously into the address bar of
the browser and hit the Enter key.

30. The setup file will begin to download. Once the file has downloaded you should see it appear in the lower left corner of the
Chrome browser.

31. Click on the downloaded file “ABC_-_Windows_Endpoints_Audit_FireAMPSetup.exe” in the lower left of the browser
to launch the setup process.

32. If you are presented with a User Account Control window prompt, click the Yes button to proceed with the setup process.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 325
 Cisco dCloud

33. When prompted for the Install Location take the setup defaults and click the Install button.

dCloud: The Cisco Demo Cloud

34. The setup process will now begin. This may take a few minutes to complete.

35. Once the installation has been completed you should receive the following notification. Click the Next button to proceed.

36. Place a checkmark in the Create Desktop Shortcut checkmark box and click the Close button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

37. The Cisco AMP for Endpoints user interface will now display. The status should say Connected.

38. Notice the AMP4E system tray icon (blue circle) on the computer in the lower right of the screen near the date and time.
You may need to click the Show Hidden Icons up-arrow to have the system tray icons appear.

39. The installation appears to be successful and the AMP4E Connector appears to be running. We will investigate the
installation status more in depth during later Connector installs. You will now verify the Connector appears in the AMP4E
console.

40. Disconnect from your Remote Desktop session with the WKST2 machine by clicking the X on the blue bar at the top of
the screen.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

41. Return to the AMP for Endpoints console window running on the Jumphost machine in dCloud. Click the Management
menu and select the Computers menu item.

42. The WKST2 machine should now appear in the list of Computers. You may click the plus symbol next to the computer
name to expand the entry and see more details about the computer.

43. The WKST2 computer has successfully had the AMP for Endpoints Connector installed and you have verified that it is
connecting to the AMP for Endpoints Console. You will now perform an installation for an additional endpoint type.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 325
 Cisco dCloud

Windows Server - Command Line

You will now perform the installation of the AMP for Endpoints Connector on the Server1 machine using the command-line
dCloud: The Cisco Demo Cloud
installation process. You will login to the AMP for Endpoints Console first to obtain the URL for the Connector download and then
download the connector on the Server1 machine using the link. You will use the command-line setup process for the Windows
server due to specific setup parameters that need to be passed to the installation process. This will also showcase a silent
installation that can be used to automate the AMP for Endpoints deployment in the customer environment. The command line used
in this example can be used in scripts, software distribution solutions, etc. to get the agent installed and deployed across an
environment.

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost.

2. Click the Management menu and select the Download Connector menu item.

3. The Download Connector screen now appears.

4. Click the Select a Group dropdown menu and select the ABC - Windows Server Audit group.

5. Ensure both the Flash Scan on Install and Redistributable checkmark boxes are checked and click the Show URL
button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 65 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. You will now see the URL that can be used to download the Connector for the Windows Server machines. Click the Show
URL button to copy the URL into the clipboard so you can paste it later.

7. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Server1
computer

8. You should automatically be logged onto the Server1 machine. You can verify that you are logged into the Server1
machine by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop
will show the name of the machine currently logged into as shown below.

9. Open the Internet Explorer web browser by clicking the Start button and then selecting the Internet Explorer icon on the
Start Menu.

10. Paste the URL copied from the AMP for Endpoints Console in the previous step in the address bar of the browser and
press the Enter key.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 66 of 325
 Cisco dCloud

11. Verify the name of the connector is for the Windows Server, then click the Save button.

dCloud: The Cisco Demo Cloud

12. Once the download has completed open an Administrative Command Prompt by right-clicking on the Start button and
selecting the Command Prompt (Admin) menu item.

13. The Command Prompt window will now appear. Enter the command cd C:\Users\Administrator.AD1\Downloads and
press the Enter key.

14. You will now use command line parameters to customize the setup of the AMP for Endpoints Connector installation for
servers. Enter the following command at the command prompt and press the Enter key. (You can speed the entry and
accuracy of the executable name by typing ABC, then pressing the tab key to autocomplete the filename. After the name
appears, continue to complete the entire command.

a. ABC_-_Windows_Server_Audit_FireAMPSetup.exe /S /skiptetra 1 /skipdfc 1

Note: As mentioned in the AMP for Endpoints Deployment Guide, it is recommended that servers that have a large amount of
network transactions and/or applications with high resource demands have the Tetra engine and Device Flow Correlation disabled.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 325
 Cisco dCloud

In addition to the policy settings you previously set for the Servers policy, you must also use the command line shown above to
prevent the installation of the components.

dCloud: The
15. There will not be any visual indicators that the setup process is running as the command-line parameters Cisco
have Demo Cloud
configured
the install to run in silent mode. You will now verify that the installation completed successfully.

16. Open Computer Management by right-clicking the Start button and selecting the Computer Management menu item.

17. In the left-pane of Computer Management, expand Services and Applications and select Services.

18. On the right window pane look for the service entry of the Cisco AMP for Endpoints Connector service. Verify that it
exists, and that the status of the service is Running.

Note: You can also review the installation log file named “immpro_install.log” that is written to the
“C:\ProgramData\Cisco\AMP” folder on the computer. This is not necessary for this lab, but feel free to explore as necessary.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 68 of 325
 Cisco dCloud

19. Exit the remote Server1 remote session by clicking the X on the top bar of the RDP client.

20. You will now verify the Connector appears in the AMP4E console.
dCloud: The Cisco Demo Cloud
21. Return to the AMP for Endpoints console window running on the Jumphost machine in dCloud. Click the Management
menu and select the Computers menu item.

22. The Server1 machine should now appear in the list of Computers. You may click the plus symbol next to the computer
name to expand the entry and see more details about the computer.

23. The Server1 computer has successfully had the AMP for Endpoints Connector installed and you have verified that it is
connecting to the AMP for Endpoints Console. You will now perform an installation for an additional endpoint type.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 69 of 325
 Cisco dCloud

Linux Server - Command Line

You will now perform the installation of the AMP for Endpoints Connector on a Linux server using the command-line installation
dCloud: The Cisco Demo Cloud
process over SSH. You will login to the AMP for Endpoints Console first to download the Linux installation file, transfer the file to
the Linux server, then execute the installation via SSH. You will use the command-line setup process for the Linux server as there
is no GUI environment available for this machine.

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost.

2. Click the Management menu and select the Download Connector menu item.

3. The Download Connector screen now appears.

4. Click the Select a Group dropdown menu and select the ABC - Linux Server Audit group.

5. In the Linux section, ensure the Flash Scan on Install checkmark box is checked.

6. Click the Distribution drop-down option and choose RHEL/CentOS 7

7. Click the Download button in the Linux section and verify the download has completed before continuing.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 70 of 325
 Cisco dCloud

8. You will now utilize WinSCP to transfer the installation file to the Linux server, so the installation can be executed on that
system via SSH. Open the WinSCP application using the shortcut on the desktop of the Jumphost machine. Do not
upgrade the WinSCP product.
dCloud: The Cisco Demo Cloud

9. The Login window for WinSCP will now appear.

10. Configure the fields of the Login screen as shown below:

a. File protocol: SCP

b. Host name: 198.18.134.50

c. Port number: 22

d. User name: root

e. Password: C1sco12345

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 71 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

11. Click the Login button

12. If presented with a Warning screen referring to the SSH key fingerprint, click the Yes button to proceed.

13. You will now connect to the Linux server via WinSCP and must now navigate to the location on the Jumphost machine
where the AMP for Endpoints Linux Connector is located in order to transfer it to the Linux server.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 72 of 325
 Cisco dCloud

14. In the left window pane of WinSCP, navigate up the directory structure one directory by double-clicking on the folder
with the two periods and up arrow. You may also use the “parent directory” button with an up arrow on it in the user
interface navigation bar. Locate the Downloads folder.
dCloud: The Cisco Demo Cloud

15. Again, in the left pane, double-click on the Downloads directory

16. You should now see the RPM file located in the downloads directory. You will now transfer the RPM file to the remote
Linux server.

17. Upload the RPM file by selecting the file on the left pane and clicking the Upload button on the left side of the WinSCP
application.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 73 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

18. When the Upload window appears, click the OK button

19. You will now see that the RPM file has been successfully transferred to the remote system as it appears on the right
window pane of WinSCP.

20. Close the WinSCP application and Click OK when asked to confirm Terminate the session.

21. Now that the installation file has been transferred to the Linux server, you will login via SSH and execute the setup
process. Open the PuTTY application on the Jumphost by double-clicking on the shortcut located on the desktop.

22. The Putty screen will now appear

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 74 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

23. Enter the following values:

a. Host name: 198.18.134.50

b. Port: 22

c. Connection type: SSH

24. Click Open

25. When prompted for the user name and password, use the following values:

a. Login as: root

b. Password: C1sco12345

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 75 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

26. Ensure you are in the /root directory by typing the command cd /root and pressing the Enter key

27. Type the command yum localinstall ABC_-_Linux_Server_Audit_rhel-centos-7fireamplinux_connector.rpm -y and

press Enter. (To speed entry of the command, as well as the accuracy of the command, once you start typing the RPM
name, you can simply press tab to auto-complete the rest of the RPM name. Do Not forget to add the final switch to the
command-line prior to pressing Enter.)

28. You should receive a message stating that the installation is complete as shown below.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 76 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

29. Once the installation has completed, you may verify the AMP Connector is functional.

a. Type the command /opt/cisco/amp/bin/ampcli status and press Enter

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 77 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

30. You will see the status of the connector states it is “Connected”, as well as which Policy the connector is attached. If it is
still “Initializing…”, try the command again until the status is “Connected”.

Note: You can access the log files generated by the AMP for Endpoints Connector for Linux in /var/log/cisco on the Linux host’s
file system. This is not required for this lab.

31. Close the SSH session to the Linux host by typing Exit and pressing Enter.

32. You will now verify the Connector appears in the AMP4E console.

33. Return to the AMP for Endpoints console window running on the Jumphost machine in dCloud.

34. Click the Management menu and select the Computers menu item.

35. The CentOS machine should now appear in the list of Computers. You may click the plus symbol next to the computer
name to expand the entry and see more details about the computer.

36. The CentOS computer has successfully had the AMP for Endpoints Connector installed and you have verified that it is
connecting to the AMP for Endpoints Console.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 78 of 325
 Cisco dCloud

Note: You have deployed the AMP for Endpoints Connector in Audit mode for all machine types in the customer environment.
You will now move on to analyzing Connector behavior and other tasks required before moving any systems into Protect
mode. dCloud: The Cisco Demo Cloud

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 79 of 325
 Cisco dCloud

Scenario 6. Application Testing - Audit Mode

You have successfully deployed the AMP for Endpoints Connector to your customer’s pilot deployment machines. You will now
dCloud:
begin the process of testing applications to determine whether AMP for Endpoints would block any unexpected The Cisco Demo
applications Cloud
when
the endpoints are moved into Protect mode.

Note: While it is unlikely that standard commercial applications would be blocked by Cisco AMP for Endpoints, it is a best
practice to go through a testing phase of the deployment in Audit mode. During this phase, it is beneficial to have the customer
test all approved business applications on the pilot machines before moving into Protect mode. This will identify if there are
any applications that may be blocked before causing a production issue. Additionally, this testing phase can help show the
customer that the majority of their standard applications will not be affected by Cisco AMP for Endpoints

Note: The scenarios below are just examples of some applications in our fictitious customer’s environment that need to be
tested for functionality. The applications you test in your customer deployments will need to reflect their actual usage of
applications within their unique environment. Ideally, the AMP for Endpoints Connector would be installed on either dedicated
testing machines where end users can verify functionality, or some of the initial pilot machines would include varying segments
of the end user population such that real daily activity can be seen and monitored for potential quarantines in audit mode.

Endpoint Application Testing

1. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer

2. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

3. The customer has notified you that the Marketing department has a specialized financial application that should be
specifically tested on the audit mode machines. You will now run the application to generate events in the AMP for
Endpoints console and review the results.

4. On the desktop of the WKST1 machine, Close all open windows/applications.

5. Double-click on the Simple Calculator shortcut to run the Marketing department’s critical application.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 80 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. The Simple Calculator application should appear on the screen. Perform some basic calculations to simulate use of the
application, and then close the window.

7. Open the Word application by double-clicking on the Word 2016 shortcut on the desktop

8. Click the option to open a blank document

9. Type Cisco AMP for Endpoint Testing on the document, click the File menu, and click the Save menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 81 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. On the Save As screen, click This PC, and click the Documents folder

11. When prompted to name the file, use the default value, and click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 82 of 325
 Cisco dCloud

12. Close the Word application

13. Open the Excel application by double-clicking on the Excel 2016 shortcut on the desktop
dCloud: The Cisco Demo Cloud

14. Click the option to open a blank workbook

15. Type Cisco AMP for Endpoint Testing in the workbook, click the File menu, and click the Save menu item.

16. On the Save As screen, click This PC, and click the Documents folder

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 83 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

17. When prompted to name the file, use the default value, and click the Save button.

18. Close the Excel application.

19. Open the Adobe Reader application by double-clicking on the Adobe Reader XI shortcut on the desktop

20. If prompted to make Adobe the default PDF reader, click OK. Then click Yes. Then click OK.

21. Click the File menu and select the Open menu item

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 84 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Select the Documents folder on the left of the screen, select the AMP for Endpoints Deployment Strategy pdf file, and
click the Open button at the bottom of the window

23. Once the PDF file has successfully loaded, you may close the Adobe Reader application

24. Close the Remote Desktop Connection to the WKST1 machine and return to the desktop of the Jumphost machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 85 of 325
 Cisco dCloud

Analysis
After completing the application usage tests, you can now review the data available in the AMP for Endpoints Console. Specifically,
dCloud: The Cisco Demo Cloud
you will be checking if any Detection events occurred.

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

2. Click the Analysis menu and select the Detections / Quarantine menu item.

3. When the Dashboard Events filter window displays, click the button next to Time Range that is currently set to the value
Week. Change this value to Day.

4. Click the plus symbol for the Group filter on the right of the screen and select the ABC - Windows Endpoints Audit
group

Note: Due to this being a lab environment, if you do not select the correct time range and group, you may see events from
previous classes. Please ensure you look at the current day values for Events.

5. You should see no events for the current day for the WKST1 machine

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 86 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. None of the activities you performed on the WKST1 machine testing the customer’s applications would have been
blocked if the connector was in Protect mode. This is expected behavior.

Note: Monitoring Threat Detected events is the primary method you can utilize to verify that connectors are ready to be moved
from Audit mode into Protect mode. It is important to monitor the events coming from connectors in Audit mode for enough
time to observe all normal end user activity and verify no blocks would have occurred for legitimate applications prior to
moving into Protect mode in production environments.

7. You will now look more closely at the data from the WKST1 machine to verify that the console has received data from the
endpoint and view what the AMP for Endpoints Connector observed during your application testing.

8. Click the Management menu and select the Computers menu item

9. Find the entry for the WKST1 computer, expand the entry by clicking the plus sign, and click the Device Trajectory
item in the bottom left of the expanded section for WKST1

Note: The items you see in the Device Trajectory may not exactly match the screenshots in your lab. This is normal as there
are different processes running at various times depending on time of day and other factors. You should still see the data from
your application testing.

10. On the Device Trajectory screen, you will be able to see the processes from the WKST1 computer and their activity.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 87 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

11. You will now filter the data to only show information relating the Microsoft Excel process: excel.exe

12. At the top of the screen in the Search Device Trajectory field, type excel.exe, then press Enter

13. The items in the Device Trajectory window will now be filtered to include only those that relate to the value you have
searched. If you see no results displayed, both check the spelling of your search entry, and/or wait a couple minutes and
try again.

14. Click on each of the File and Network event circle and review the data contained in each event.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 88 of 325
 Cisco dCloud

15. You will see that Excel created the book1.xlsx file then moved the file.

dCloud: The Cisco Demo Cloud

16. Review the other events for the application. Note that many of the values in the event can open additional menus and
reports to help with investigations as well as provide additional context.

17. The Device Trajectory view is currently under development in AMP Cloud and migrating to a new interface view. You
need to Click Use the New Device Trajectory to go back.

18. Enter acro into the Search field at the top of the page and press Enter

19. Review the entries for the matching files. There may be several entries related to the Adobe Acrobat processes such as
acrord32.exe and acroext.exe. In this example notice the network activity being generated by the acrord32.exe. Click on
one of the events on the device trajectory to bring up additional information about the event.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 89 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

20. Click on the hash value for the file in the event details pane (see image below). Notice the Disposition is Clean, and the
file name is marked in green. From this menu you could investigate further if desired.

Note: You may not see the exact events for Adobe Acrobat as shown in the lab manual although there should be event
entries in the Device Trajectory for you to verify that event data is passing to the console based on your activities.

21. You have verified that you are indeed getting event data from the machine you performed the application testing on and
that it does not appear that any of the apps would have been blocked if the machine had been in Protect mode.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 90 of 325
 Cisco dCloud

Server Application Testing

The Windows and Linux servers have also had their connector installed in Audit mode and it is now time to check if any of the
services or applications running on those servers would be blocked if the connector was not in Audit mode.dCloud: The Cisco Demo Cloud

You will now review the data available in the AMP for Endpoints Console. Specifically, you will be checking to see if any Detection
events occurred for the servers within the customer environment.

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

2. Click the Analysis menu and select the Detections / Quarantine menu item.

Note: Accessing the Detections/Quarantine item from the Analysis menu accomplishes the same task as selecting Events
from the Analysis menu and then choosing the event types Threat Detected and Threat Detected in Exclusion.

3. When the Events filter window displays, click the button next to Time Range that is currently set to the value Week.
Change this value to Day.

4. Click the plus symbol for the Group filter again and select the ABC - Linux Server Audit group

5. Click the plus symbol for the Group filter again and select the ABC - Windows Server Audit group

Note: Due to this being a lab environment, if you do not select the correct time-range and group, you may see events from
previous classes. Please ensure you look only at the current days values for Events with the correct group filters.

6. You should see several entries for the Server1 machine. These entries represent instances where an application would
have been blocked on Server1 if the machine had been in Protect mode. You must now gather more information on this
activity before proceeding to move machines into Protect mode.

7. If you do not see the detection events for server1, the scheduled task that executes the application may not have
executed yet due to various timing factors. You may force the scheduled task to run by following the below steps if
needed.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 91 of 325
 Cisco dCloud

a. Connect to the Server1 machine via the Remote Desktop shortcut on the desktop of the Jumphost

b. On Server1, Open Computer Management by right-clicking on the Start button and selecting Computer
Management dCloud: The Cisco Demo Cloud

c. When the Computer Management window appears, expand Task Scheduler and select the Task Scheduler
Library folder

d. Right-click on the Server Maintenance task and select the Run menu item

e. Return to the Jumphost machine by minimizing the Remote Desktop window for Server1 with the minimize
button located on the blue bar at the top of the screen

f. Return to the event logs for the server machines and refresh the page to see the event data generated by
running the scheduled task

8. Click the plus symbol on the most recent event for the Server1 machine to expand the event.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 92 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

Note: All text colored blue with the funnel/filter icon next to it can be used to add a filter to the current events filter in order to
only show data for the item you just clicked on.

9. On the File Detection tab of the newly opened Event, notice the following items:

a. Detection: The name/designator of the malware detected

b. Fingerprint: Hash of file detected

c. File Name: The specific file that was detected as being malicious

d. File Path: The location on the hard disk of the connector (computer) where the file was executed from

e. File Size: The size in bytes of the file

f. Parent Fingerprint: The hash of the process that launched the malicious file

g. Parent Filename: The name of the process that launched the malicious process

Note: You may see a Report button in the step below rather than an Analyze button. This means that the file has been
recently analyzed already from a previous lab participant. You may click the Report button instead to view the Threat Grid
report and proceed with the lab.

10. Click the Analyze button. [If you DO NOT have an Analyze button in your console, see step A after reading the remaining
text that follows here.] This will cause the AMP for Endpoints connector on Server1 to fetch the file in question, submit it to
the File Repository in the AMP cloud, and have it undergo a ThreatGrid analysis. This process can several minutes to
complete (plan for a minimum of 15 minutes for the file fetch and then another 10 minutes minimum for the analysis after
that). We will continue to investigate the file using other methods while the File Fetch and ThreatGrid analysis is being
performed.

a. If there is no analyze button, this is due to the file being recently analyzed by another student who used this Pod
prior to you. You may skip to the next numbered step in this lab (Step 11).

b. The details of the File Fetch request appear giving you the opportunity to choose which connector to retrieve the
file from (if the file existed across multiple computers in the customer environment) and What Operating System
to use for the analysis.

c. Ensure Server1 is selected and leave the VM image for analysis at the default value.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 93 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

d. A blue bar will appear letting you that an email will be sent when the file has been uploaded to the repository.

e. Click the X in the upper right of the window to close the screen and return to the AMP for Endpoints console.

11. Click on the file hash next to Fingerprint (SHA-256) to open a drop-down menu for the file

12. You are shown several pieces of information on the drop-down menu as well as being given the option of looking at
additional information in the console about this file. Here are descriptions of each option in this pop-up menu.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 94 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

a. Disposition: How the AMP cloud is categorizing the file, such as Unknown, Malicious, or Clean

b. Filename: The current file being viewed

c. Add to Filter: Allows you to add this hash to the Event filter.

d. Copy: Copies the full SHA-256 hash (unique identifier) of the file to the clipboard so it can be pasted in other
screens if desired

e. Search: Will search for all computers with the file, will search the file repository for a matching file, and will look
in File Analysis for a matching file. (Sample screen shown below. You do not need to select this option now.)

f. Virus Total / Risk / Full Report: Pertains to data obtained about this hash that was received from Virus Total.

g. File Fetch: Allows you to Fetch the file for analysis or view it in the repository.

h. File Analysis: Opens the file analysis for the file (if the file has been previously fetched, and the analysis has
had enough time to complete)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 95 of 325
 Cisco dCloud

i. File Trajectory: Shows a summary of information about the file across the entire environment including all
machines seen with the file, network activity associated, how the file was written, and if the file created any new
threats
dCloud: The Cisco Demo Cloud

j. Outbreak Control: Quickly add this hash to an Outbreak Control list in the product

k. Investigate in Cisco Threat Response: Allows you to open Cisco Threat Response filtered on this Hash.

13. Click on the File Trajectory menu item.

14. The File Trajectory page opens in a new browser tab and displays statistics about the file. Review the data shown on the
File Trajectory screen including the following:

a. Visibility: Statistics on how many instances involving the file have been observed as what the first/last dates of
observation were

b. Entry Point: The first connector in the environment that saw the file

c. Created By: Data regarding how the file arrived on the connector

d. File Details: Information from the executable header of the file, the disposition, size, hashes, and type

e. Network Profile: Any network activity related to the file

f. Trajectory: Timeline of activity involving the file

g. Event History: A list of all events in the AMP for Endpoints console involving the file

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 96 of 325
 Cisco dCloud

Note: The details of the File Trajectory screen above may look somewhat different than that displayed in your lab depending on
how many times the file has executed and various other factors.
dCloud: The Cisco Demo Cloud
15. After reviewing the data on the File Trajectory screen, close the browser tab for the File Trajectory and return to the
Events screen showing the detection events for nircmdc.exe

16. Click on the Connector Info menu option on the left of the expanded event section (below File Detection)

17. Details about the machine that generated this specific event appear.

18. Click the Management link to view more information about the computer that has generated the event.

19. The Computers screen opens in a new browser tab. Click the plus symbol next to the Server1 entry to expand the
information about the computer.

20. Review the current information available about the Server1 computer. Notice that from this screen, you have the ability to
launch an on-demand scan, move the computer to a different group in the console, delete the computer, go to events
specifically related to this machine, launch the Device Trajectory, and view audit log changes.

a. Important! Do NOT move or delete the Server1 machine at this time!

21. Close the current browser tab containing the Computers screen and return to the Events screen showing the detection
events for nircmdc.exe

22. Launch the Device Trajectory by clicking on either the button in the top row of the event header, or the link for Device
Trajectory on the Connector Info screen of the event.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 97 of 325
 Cisco dCloud

or

23. The Device Trajectory window appears in a new tab with data relating to the nircmdc.exe file and dCloud: The Cisco Demo Cloud
its activity

24. Based on the data in the Device Trajectory, we can see two processes involved: nircmdc.exe and cmd.exe. (You may
also see [ system]) The process nircmd.exe is colored red, indicating that its event disposition is malicious. The process
cmd.exe is colored green, indicating that its event disposition is benign. The icon associated with the events on the
Device Trajectory matches the execute event type as shown at the bottom of the screen. Additionally, there is an ‘eye’
icon on the events, symbolizing that the event is in audit mode.

25. Click on one of the execute events in the device trajectory and review the event data.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 98 of 325
 Cisco dCloud

Note: The event specifically says the file was not quarantined. This is due to the connector being in Audit mode.

26. You can determine that the parent process was cmd.exe (Executed by…), the full path of the file is
dCloud: The Cisco Demo Cloud
c:\maintenance\nircmd.exe, and the specific command line used (available in some events: choose another event if you
are not seeing the command line as this may not always appear based on application behavior at that time).

27. Additionally, you are presented with all hash values of the process and parent process.

28. Click on the abbreviated hash (12459a5e…) of the nircmdc.exe file located next to its name on the top line of the current
window.

29. Details about the file appear including a VirusTotal section. Click on the Full Report menu item.

Note: VirusTotal is a site that analyses files using signatures from many different anti-malware vendors. It can be useful to gain
additional context when investigating a file.

30. The VirusTotal site is opened to the page containing information about the hash that was selected.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 99 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

31. It appears that many of the antivirus engines that VirusTotal ran the file against are marking it as an unwanted program or
risky tool.

32. Close the VirusTotal tab of the browser and return to the Device Trajectory screen.

33. Click on the hash of the nircmdc.exe file, click the File Fetch sub-menu, and select the View in File Repository menu
item.

Note: You can also access the File Repository by accessing the Analysis menu and selecting File Repository.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 100 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

Note: You had previously requested that AMP for Endpoints fetch the file and begin an analysis (or possibly a previous student
already fetched the file). It can take over 30 minutes for the file fetch and analysis to complete. Depending on the length of time
from when you requested the file fetch and analysis, the file may not be available yet. If the Status does not say “Available” on the
previous step, you may need to wait for this process to complete or move ahead without the analysis to review in your lab. Also, if
you do not see any entries in the File Repository, please verify that you successfully requested the file and review the beginning of
this lab section for the steps on initiating the file fetch and analysis.

34. When the File Repository screen appears click the plus symbol to expand the entry for nircmdc.exe. If you do not see
results in the Repository, return to the previous menu and use the Fetch File option to grab a new copy of the file from
Server1.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 101 of 325
 Cisco dCloud

35. Notice from this screen, you could launch a File Trajectory or Device Trajectory, download a copy of the actual file to your
admin console, or remove the file from the repository. At this point in the lab, the file analysis should be completed, and
you should see the Analysis results link. Hover your mouse pointer over the Report button to see the pop-up
dCloud: The Cisco Demo Cloud
information.

36. Review the data on the screen, then click the Report button at the bottom of the section

37. You are presented with the ThreatGRID analysis report that shows information about the file obtained when it was
executed and analyzed within the ThreatGRID sandbox environment.

38. Review the data in the report, then close the analysis report browser tab when complete

Note: The steps below outline a sample conversation that you would have with your customer during a deployment in a similar
case as this where a file has been marked as malware in quarantine mode but appears to be a legitimate application in use by the
customer. During a production deployment, ensure you have customer approval by the appropriate department before whitelisting
processes classified as malware by AMP for Endpoints. Read the following steps until you are directed to take another action in the
AMP for Endpoints console.

39. At this point in our deployment scenario, you have performed several investigative actions using the AMP for Endpoints
console and it is time to talk to the customer in order to gather more information about this file and why it is running on the
Server1 machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 102 of 325
 Cisco dCloud

a. The customer’s server team has been asked if they know anything about the file running on Server1 and they
have responded that they have no knowledge of the file.

b. You subsequently explain to the server team that unless the file is specifically allowed todCloud:
run, it The
willCisco
be blocked
Demo Cloud

once the server moves into protect mode.

c. The server team suddenly remembers, “yes, we do know about the file. It is a utility we utilize for maintenance
scripts.” They have requested that it be whitelisted and not blocked.

d. You verify with your customers IT Security department, or primary contact for your AMP for Endpoints project,
that they also approve of whitelisting the utility file as it seems it is not true malware, but instead, a risky and
sometimes misused administrative utility.

e. The IT Security team has issued an approval for you to move forward with whitelisting the file in the AMP for
Endpoints console.

f. Close the ThreatGRID report browser tab.

Note: You will now use the AMP for Endpoints console to whitelist the file, so it will not be blocked when the connectors move into
Protect mode.

40. Click Analysis > File Analysis.

41. Expand the newest nircmd.exe entry by clicking the associated + icon.

42. We can easily add this file hash to our Whitelist.

a. Click the File Hash near the Fingerprint (SHA-256) value and locate the Whitelist menu option on the pop-up
menu (It may be at the bottom of your menu, or nested under Outbreak Control).

b. Now click Whitelist, then click ABC – Application Whitelist.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 103 of 325
 Cisco dCloud

Note: By adding the hash for the nircmdc.exe file into the whitelist used by all the customer policies, the file will be whitelisted for
dCloud: The Cisco Demo Cloud
the entire environment. In this deployment, that is acceptable to the customer. There may be times when it is not desired to
whitelist a file for all computers, but rather only a subset of machines. In that case, a separate whitelist could be created, and the
group that needed the whitelist could have its policy edited to point to the new whitelist. This way, only that specific group would
have the file whitelisted.

43. Again, Click Analysis > File Analysis and Expand the newest nircmd.exe entry by clicking the associated + icon.

44. Click the File Hash near the Fingerprint (SHA-256) value

45. Notice that the Disposition is now Whitelisted and no longer “malicious”. You have successfully whitelisted the file and
prevented it from being blocked by connectors in Protect mode. You will now verify your work.

Note: On systems where the file already exists with a Malicious disposition, they will not immediately change the disposition to
Whitelisted after the file is added to a whitelist. In the Policy settings, there is a Cache menu that controls the TTL for various
dispositions (shown below). For the change to take effect on a connector that already has the file, either wait for the TTL to
expire (1 hour for malicious files) or stop the connector service and delete the cache.db file from the connector install directory,
and then restart the service. This will cause the connector to perform an immediate cloud lookup and not block the file.

Note: Image above is an example of Policy Cache Settings.

46. You will now login to the Server1 machine to manually execute the file you have just whitelisted to test whether the
connector is treating the file as having a Whitelisted disposition

47. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Server1
computer

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 104 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

48. You should automatically be logged onto the Server1 machine. You can verify that you are logged into the Server1
machine by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop
will show the name of the machine currently logged into as shown below.

49. Open Computer Management by right-clicking on the Start button and selecting Computer Management

50. When the Computer Management window appears, expand Task Scheduler and select the Task Scheduler Library
folder

51. Right-click on the Server Maintenance task and select the Run menu item

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 105 of 325
 Cisco dCloud

52. Return to the Jumphost machine by minimizing the Remote Desktop window for Server1 with the minimize button
located on the blue bar at the top of the screen

dCloud: The Cisco Demo Cloud

53. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

54. Click the Analysis menu and select the Detections / Quarantine menu item.

55. When the Events filter window displays, click the button next to Time Range that is currently set to the value Week.
Change this value to Day.

56. Click the plus symbol for the Group filter on the right of the screen and select the ABC - Windows Server Audit group

57. There should be an event listed that matches the time period from when you manually started the scheduled task on
Server1 after the file was whitelisted. Notice that the connector still generated a detection event for malware even though
the file was whitelisted. This is due to the disposition of the file being in the cache.db file. This malicious disposition will
not expire until the TTL value for the cache has elapsed.

58. Click on the file Hash next to SHA-256 for the file. Notice the disposition is Whitelisted. You will now force the connector
to retrieve new disposition data by manually deleting the cache.db on the Server1 machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 106 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

59. Return to the Server1 machine by clicking on the minimized session you already have launched in the taskbar.
Alternately, double-click on the desktop shortcut for the Server1 remote desktop session again.

Note: Manually deleting the cache.db is usually a troubleshooting step or used for certain instances where a new disposition is
needed immediately and is not considered a normal operational task that will be performed on a regular basis. You are going
through this exercise to have a better understanding of the timing involved in making whitelist/blocklist changes and in case you
needed to immediately have the change take effect on a small number of computers you will be familiar with the process. This is
not an activity you should expect to perform after every whitelist change.

60. You will now stop the connector service on the Server1 computer. Open an elevated PowerShell prompt by right-
clicking on the PowerShell shortcut (This looks like a > symbol) on the taskbar and selecting the Run as
Administrator menu item

Note: The name of the service changes with the version of the connector installed. You will use PowerShell to determine the
current status of the service, the exact name of the service, and use wildcards in the commands that will work even if the
connector version changes.

61. Once the Windows PowerShell prompt appears, run the command get-service CiscoAMP* (Do NOT forget the * at the
end of the command)

62. Notice the Status of the service is Running, the name of the service is shown as well as the DisplayName of the service.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 107 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

63. Stop the service by running the command stop-service -name CiscoAMP*

64. Verify the service is stopped by running the command get-service CiscoAMP*

65. Notice the Status of the service is now Stopped

66. Now that the service is stopped, you may delete the cache.db file from the connector installation directory on Server1

a. Run the command del "C:\Program Files\Cisco\AMP\cache.db"

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 108 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

b. If no errors appear after running the del command, then the cache.db file was successfully deleted and you may
now restart the service, so the agent will be forced to pull down a new disposition for the file you have whitelisted
without waiting for the 1-hour TTL to expire.

c. Start the connector service by running the command start-service -name CiscoAMP*

d. Check the service status by running the command get-service CiscoAMP*

Note: If you prefer to use the Services MMC and File Explorer user interfaces to stop the service, delete the file, and start the
service, that is ok, and will accomplish the task as well.

67. You will now manually start the scheduled task on the Server1 computer to verify that the connector is no longer detecting
the file as malware and has updated its disposition as whitelisted.

68. Open Computer Management by right-clicking on the Start button and selecting Computer Management

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 109 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

69. When the Computer Management window appears, expand Task Scheduler and select the Task Scheduler Library
folder

70. Right-click on the Server Maintenance task and select the Run menu item

71. Return to the Jumphost machine by minimizing the Remote Desktop window for Server1 with the minimize button
located on the blue bar at the top of the screen

72. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

73. Click the Analysis menu and select the Detections / Quarantine menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 110 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

74. When the Events filter window displays, click the button next to Time Range that is currently set to the value Week.
Change this value to Day.

75. Click the plus symbol for the Group filter on the right of the screen and select the ABC - Windows Server Audit group

76. You will see the previous entries from when the connector on Server1 recognized the file as malicious, before the whitelist
operation was performed. No new threat detected events should be displayed in the console that match the time period of
the last scheduled task execution.

77. You have investigated whether any legitimate applications in use by the customer would have been quarantined by Cisco
AMP for Endpoints. You have successfully whitelisted a server application that would have been quarantined if the
connector was in protect mode. You have gone through the manual process of forcing the disposition update without
waiting for the Cache TTL to expire. Now that the customer environment has been analyzed for known good applications
that may be quarantined, and required changes made to whitelist them, it is time to move forward with the tasks needed
to prepare the environment for Protect mode.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 111 of 325
 Cisco dCloud

Scenario 7. Create Protect Mode Policies

You have completed all Audit mode testing in the customer environment and are now ready to create the objects in the AMP for
dCloud: The Connector
Endpoints console required to move into Protect mode. Up until this point in the deployment, the AMP for Endpoints Cisco Demo Cloud

would not have blocked any activity that it found to be malware or on a block list. Once a Connector moves into Protect mode,
blocks will occur based on matching values from the cloud, or blocklists created by you as the administrator.

You will now create Policies in the AMP for Endpoints console. To speed up this process, we will clone our audit policies as a
starting point, then edit each cloned policy with the required modifications.

Duplicating the Audit Policies

1. Click the Management menu and select the Policies menu item.

2. The Policies page will appear and display all existing policies. Type ABC in the search window, then click the
magnifying glass to perform a policy search on the All Products tab.

3. Click the plus sign to expand the ABC - Linux Server Audit Policy.

4. Click the Duplicate button for this policy.

5. You should now see a new policy in the list: Copy of ABC - Linux Server Audit

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 112 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Before editing this new policy, we will create the remaining 2 copies of the other Audit policies using the same process we
just utilized:

a. For the ABC - Windows Endpoint Audit policy:

i. Expand the ABC - Windows Endpoint Audit policy

ii. Click Duplicate

b. For the ABC - Windows Server Audit policy:

i. Expand the ABC - Windows Server Audit policy

ii. Click Duplicate

7. Once you have completed duplicating the other 2 policies, you should see a total of 6 policies for the ABC deployment. 3
“ABC”, and 3 “Copy of ABC” policies.

8. We can now proceed to the next section where we will modify each duplicated policy as required.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 113 of 325
 Cisco dCloud

Linux Server Protect Mode Policy

We will now modify the duplicated copy of the Linux Audit policy to change it to a Protect policy. dCloud: The Cisco Demo Cloud

1. Expand the Copy of ABC - Linux Server Audit policy by clicking the associated plus sign. Be certain that this is the
Copy, and not the original policy.

2. Click the edit button within this policy.

3. You should now see the contents of the Copy of ABC - Linux Server Audit policy

4. Edit the following settings on the current page:

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 114 of 325
 Cisco dCloud

a. Name: ABC - Linux Server Protect

b. Description: Protect mode policy for Linux Servers

dCloud: The Cisco Demo Cloud
c. Click the Quarantine button for Files

d. Do not change any other settings on the Modes and Engines page of this policy form.

5. Click Outbreak Control on the left side of the form. Notice how the other settings have carried over as part of the policy
duplication process as well.

6. Click Save at the bottom of the form to save the modify Protect policy.

7. After saving, you will see the following message in the console.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 115 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. Type ABC in the policy search field at the top of the page, then click the magnifying glass to filter for our custom
policies.

9. You should still see 6 total ABC policies, but now only 2 are listed as “Copy of”. Additionally, you should now see the
newly created ABC - Linux Server Protect policy.

10. We can now continue to the next lab section to customize another duplicated policy as required.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 116 of 325
 Cisco dCloud

Windows Endpoint Protect Mode Policy

We will now modify the duplicated copy of the Windows Endpoint Audit policy to change it to a Protect policy.
dCloud: The Cisco Demo Cloud

1. Expand the Copy of ABC - Windows Endpoint Audit policy by clicking the associated plus sign. Be certain that this is
the Copy, and not the original policy.

2. Click the edit button within this policy.

3. You should now see the contents of the Copy of ABC - Windows Endpoint Audit policy

4. Edit the following settings on the current page:

a. Name: ABC - Windows Endpoint Protect

b. Description: Protect mode policy for Windows desktops and laptops utilized by end users

c. Click the Quarantine button for Files

d. Click the Block button for Network

e. Do not change any other settings on the Modes and Engines page of this policy form at this time. In a production
deployment, you may choose to utilize Malicious Activity Protection and System Process Protection at this time.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 117 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Click Save at the bottom of the form to save the modified Protect policy.

6. After saving, you will see the following message in the console.

7. Type ABC in the policy search field at the top of the page, then click the magnifying glass to filter for our custom
policies.

8. You should still see 6 total ABC policies, but now only 1 is listed as “Copy of”. Additionally, you should now see the newly
created ABC - Windows Endpoint Protect policy.

9. We can now continue to the next lab section to customize our final duplicated policy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 118 of 325
 Cisco dCloud

Windows Server Protect Mode Policy

We will now modify the duplicated copy of the Windows Endpoint Audit policy to change it to a Protect policy.
dCloud: The Cisco Demo Cloud

1. Expand the Copy of ABC - Windows Server Audit policy by clicking the associated plus sign. Be certain that this is the
Copy, and not the original policy.

2. Click the edit button within this policy.

3. Edit the following settings on the current page:

a. Name: ABC - Windows Server Protect

b. Description: Protect mode policy for Windows servers that are not Active Directory servers

c. Click the Quarantine button for Files

d. Do not change any other settings on the Modes and Engines page of this policy form at this time.

4. Click Save at the bottom of the form to save the modified Protect policy.

5. After saving, you will see the following message in the console.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 119 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Type ABC in the policy search field at the top of the page, then click the magnifying glass to filter for our custom
policies.

7. You should still see 6 total ABC policies, but now you have 3 types of policies, each with an Audit and Protect version.

Note: You have successfully created protect policies for Windows Endpoints, Windows Servers, and Linux Server connectors. You
will now create the necessary Groups to associate with these policies that will allow AMP for Endpoint Connectors to be placed into
protect mode.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 120 of 325
 Cisco dCloud

Scenario 8. Create Protect Mode Groups

dCloud: The Cisco Demo Cloud

You will now go through the process of creating protect mode groups for your connectors within the console. In this deployment, you
have already created audit mode groups for different functional types of endpoints to allow for both low impact deployment to the
customer, and for testing when necessary. Protect mode groups will be created at this point in the deployment to allow connectors
to be transitioned from audit mode to protect mode.

Windows Endpoint Protect Mode Group

Since groups we cannot duplicate groups, as we did with policies earlier, we will need to create these groups manually. We will now
create the Windows Endpoint Protect Mode group for the ABC company.

1. Click the Management menu and select the Groups menu item.

2. Click the Create Group button.

3. In the Name field enter ABC - Windows Endpoints Protect

4. In the Description field enter Group to manage Windows endpoint devices in Protect mode

5. In the Windows Policy field choose the ABC - Windows Endpoint Protect policy item.

6. Leave all other settings at the default values and click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 121 of 325
 Cisco dCloud

Windows Compliance Protect Mode Group

We will now create the Windows Compliance Protect Mode group for the ABC company. dCloud: The Cisco Demo Cloud

1. From the Groups page in the console, click the Create Group button.

2. In the Name field enter ABC - Windows Compliance Protect

3. In the Description field enter Group to manage Windows endpoint devices that fall under Compliance regulations in
Protect mode

4. In the Windows Policy field choose the ABC - Windows Endpoint Protect policy item.

5. Leave all other settings at the default values and click the Save button.

Note: The group you just made for the Compliance machines is using the policy you previously created for Windows
Endpoints in Protect mode. The machines that are members of the ABC - Windows Endpoints Protect group and machines
that are members of the ABC - Windows Compliance Protect group will have the same configuration applied to them at this
point (same exclusions, audit/block settings, user interface settings, etc.), but can be managed separately for reporting
purposes. Additionally, at a later time, the policy settings could be changed to a different policy, if the configuration of these
machines needed to be separate from the ABC - Windows Endpoint Protect group machines.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 122 of 325
 Cisco dCloud

Windows Server Protect Mode Group

We will now create the Windows Server Protect Mode group for the ABC company. dCloud: The Cisco Demo Cloud

1. From the Groups page within the console, click the Create Group button.

2. In the Name field enter ABC - Windows Server Protect

3. In the Description field enter Group to manage Windows servers in Protect mode

4. In the Windows Policy field choose the ABC - Windows Server Protect policy item.

5. Leave all other settings at the default values and click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 123 of 325
 Cisco dCloud

Linux Server Protect Mode Group

We will now create the Linux Server Protect Mode group for the ABC company. dCloud: The Cisco Demo Cloud

1. From the Groups page in the console, click the Create Group button.

2. In the Name field enter ABC - Linux Server Protect

3. In the Description field enter Group to manage Linux servers in Protect mode

4. In the Linux Policy field choose the ABC - Linux Server Protect policy item.

5. Leave all other settings at the default values and click the Save button.

Note: You have successfully created groups tied to Protect Mode policies. We will now be able to transition connectors from Audit
mode into Protect mode.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 124 of 325
 Cisco dCloud

Scenario 9. Protect Mode Transition

You have completed all the configuration changes in the AMP for Endpoints console to create the objects needed to transition
dCloud: The
endpoints into Protect mode. You have also tested the functionality of the customer applications on the connectors Cisco Demo
running Cloud
in Audit
Mode to ensure that normal business applications would not be blocked. We also were able to rectify any issues that came up
during this testing process. You will now move connectors into the appropriate groups attached to Protect mode policies.

Note: Throughout this scenario, WKST1 will remain in the audit mode group for comparison purposes. WKST2 will be moved over
to the ABC - Windows Compliance Protect mode group. In production, you will likely utilize a staged migration similar to the steps
in this lab scenario to transition systems to protect mode, rather than moving all connectors simultaneously.

Windows Compliance Protect Mode Transition

We can now migrate our compliance system to protect mode.

1. Click the Management menu and select the Computers menu item.

2. The list of all computers with the AMP for Endpoints connector installed will appear. You will now filter the list of
computers to show only those computers in the ABC - Windows Endpoints Audit group.

3. Click the plus sign next to Filters to expand the Filter section

Note: Notice the many options for filtering computers. This can be very beneficial for managing devices based on Operating
System, version of the AMP connector software, IP range, or other values that you may want to group machines together by over
time.

4. Click the drop-down menu for Group and select the ABC - Windows Endpoints Audit group

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 125 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Click the Apply Filters button

6. You will see 2 systems have been returned: wkst1 & wkst2. We have been informed that wkst2 should be classified as a
compliance system and placed in Protect. Place a checkmark in the box associated with wkst2.

7. Click the Move to Group button and then select ABC - Windows Compliance Protect from the drop-down.

Note: The name may be abbreviated due to length of the window as shown in the example above.

8. Click the Move button to complete the move process for the computer

9. The move is successfully completed. In the following labs, you will now repeat the process for the other machines (with
the exception of WKST1) by moving them into their appropriate protect mode groups.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 126 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 127 of 325
 Cisco dCloud

Windows Server Protect Mode Transition

We can now migrate our Windows Server system to protect mode. dCloud: The Cisco Demo Cloud

1. Ensure you are still on the Management > Computers page of the console.

2. Clear the currently applied filter by clicking the Clear Filters button

3. Place a checkmark next to the entry for the Server1 computer in the list and click the Move to Group button.

4. The Move Computer to Group window will now appear. Choose the option to Move To Existing Group and select the
ABC - Windows Server Protect

Note: The name may be abbreviated due to length of the window as shown in the example below.

5. Click the Move button to complete the move process for the computer

6. The move is successfully completed.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 128 of 325
 Cisco dCloud

Linux Server Protect Mode Transition

We can now migrate our Linux Server system to protect mode. dCloud: The Cisco Demo Cloud

1. Ensure you are still at the Computers page of the console and no filters are applied

2. Place a checkmark next to the entry for the centos computer in the list and click the Move to Group button.

3. The Move Computer to Group window will now appear. Choose the option to Move To Existing Group and select the
ABC - Linux Server Protect

4. Click the Move button to complete the move process for the computer

5. The move is successfully completed. You have completed all the Protect Mode group transitions required at this time as
wkst1 should remain in Audit.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 129 of 325
 Cisco dCloud

Scenario 10. Simple Custom Detections

Your customer has identified some files that they would like quarantined using AMP for Endpoints. You will utilize a Simple Custom
Detection (SCD) to quarantine the files based on their SHA-256 hash values. Additionally, you will test the dCloud:
behaviorTheof
Cisco Demo Cloud
a connector
in audit mode, and the behavior in protect mode, when attempting to execute files that have been added to the quarantine list.

Unauthorized Compiled Script

Your customer’s IT Security team has identified several users utilizing a script that has been compiled into an executable in order
to evade security settings requiring corporate workstations to lock after a period of inactivity. The executable is not on the
customer’s approved software list and its behavior is in violation of the customer’s IT Security policy. The file does not appear to be
dangerous malware, but it needs to be quarantined and prevented from executing. You have been provided a copy of the file by
the customer on your administrative workstation.

Note: You cannot quarantine a file through creating a Simple Custom Detection if the hash of the file has a “Clean” disposition in
the AMP cloud. If you attempt to do so, the attempt will fail, and you will be notified that you should create an application block
instead.

File Preparation - Lab Purposes Only

Important! AMP for Endpoints will not allow a file that has a clean disposition to have an SCD created for it. Because of this, any
file that has been seen by the AMP cloud, and is not deemed to be malware, will become classified with a clean disposition over a
period of time unless malicious behavior is found to be associated with the file. In order for this lab scenario to function and allow
you to create a Simple Custom Detection, you must use a file that has an “Unknown” disposition within AMP. This is difficult since
any file used for lab purposes over time will become either classified as Clean or Malicious and the lab exercise will no longer
function. For the purposes of this lab, you will run a script that will generate a file with a new hash (unique identity) so that it will
have an “Unknown” disposition. This will allow us to quarantine using an SCD in the AMP for Endpoints console. This process of
creating the file is only for the purposes of the lab in order for us to simulate a new file in a customer environment that the AMP
cloud has not yet seen and classified but that the customer needs quarantined immediately. The steps required to generate this file
are not a normal administrative task and are only used here to create a file that AMP has not seen so that it can be quarantined
manually. In production customer environments, you can simply skip to creating a SCD with the hash of the unknown files or
creating application blocks for files that the customer does not want to execute but that are classified as Clean by AMP. Please
proceed with the lab instructions as this SCD lab will not function correctly without generating the unique file.

1. Ensure you are logged in to Jumphost workstation

2. Open File Explorer on the Jumphost workstation by double-clicking the JUMPHOST shortcut on the desktop

3. Navigate to the “C:\Setup Files\NoSleepyTime\Construction” directory

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 130 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

4. Double-click on the DataGen.bat file to execute the script that will generate an executable file with an unknown
disposition to be used in this lab scenario. This batch file will create a unique executable file every time it is run and
transfer the file to both the WKST1 and WKST2 machines. If you run this batch file more than 1 time, it will create a file
with a new hash each time. Please ensure you are using the correct hash value later in the lab as you create the SCD.

5. Wait for the batch file to complete and prompt you to continue. Press the Enter key to continue and close the batch file
screen.

6. Using the File Explorer window on the screen, navigate to the “C:\Setup Files\NoSleepyTime” directory. You should now
see a file in that location named NoSleepyTime.exe

7. You now have a new unique file that does not have a Clean disposition in AMP. Please proceed with the remainder of the
lab.

Note: Remember that the previous steps used to create the file were only required in the lab environment to produce a unique
executable file. In a normal deployment, this would not be necessary. You would either create the SCD based on the hashes
provided by the customer or create application blocks.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 131 of 325
 Cisco dCloud

Quarantining an Unknown File

We will now use the Simple Custom Detection feature of Amp for Endpoints to quarantine an unknown file dCloud:
on a protected system.
The Cisco Demo Cloud

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

2. Click the Outbreak Control menu, navigate to the Custom Detections section and select the Simple menu item.

3. The Custom Detections - Simple page appears. The ABC - Quarantine List item is displayed on the screen with all the
groups and policies that utilize this SCD. Click the Edit button.

4. Click the Upload File tab next to Add SHA-256

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 132 of 325
 Cisco dCloud

5. You will now upload a copy of the file the customer has provided to you that they desire to be quarantined. The console
will calculate the SHA-256 hash of the file and enter the value into the SCD. If you already had the hash of the file, you
could enter that instead on the Add SHA-256 tab. In this case, we have the file and will upload it. Click the Browse button.
dCloud: The Cisco Demo Cloud

6. Navigate to the C:\Setup Files\NoSleepyTime directory on the Jumphost machine, select the NoSleepyTime.exe file,
and click the Open button

7. In the Note field, enter the text Unauthorized File - NoSleepyTime and click the Upload button

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 133 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. You should receive a message indicating that the file was successfully uploaded.

9. Click the Edit button on the ABC - Quarantine List object to review the entry you just created.

10. Click the hash under “Files Included” to see the details for the file you just uploaded (the IP address of the connection
that created the entry, the user account that created the entry, and the date/time stamp when the entry was created).

Note: The hash values you see in your lab for the file will be different than what is shown for the lab document screenshots as
each instance of the NoSLeepyTime.exe file has a unique hash.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 134 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

11. Click on the hash of the file and note that the disposition is Blacklisted due to you adding the hash to a Simple Custom
Detection.

12. You have successfully created a Simple Custom Detection for the file your customer requested you to quarantine. Any
connector that is a member of a group using a policy that references this SCD object will now quarantine the file.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 135 of 325
 Cisco dCloud

SCD Testing
You will now test the SCD by executing the file that you just added to the SCD. dCloud: The Cisco Demo Cloud

1. Ensure you are logged in to Jumphost workstation

2. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer

3. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

4. Launch the File Explorer on WKST1 by double-clicking on the WKST1 shortcut on the desktop.

5. Navigate to the Local Disk C:\Setup Files\NoSleepyTime directory. (Make sure you are on the Local Disk of WKST1
and NOT one of the other mapped drives to the JUMPHOST)

6. Double-click the NoSleepyTime.exe file to launch the application.

7. You are presented with a notification when the file is launched. Click the OK button to close. The file was allowed to
execute even though it should be quarantined because the WKST1 machine is running an audit mode policy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 136 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. Open an Admin Command Prompt on WKST1 by right-clicking the windows Start button and selecting Command
Prompt (Admin). Click Yes to allow.

9. Terminate the NoSleepyTime.exe process on WKST1 by running the command taskkill /im nosleepytime.exe /f

10. Close the Remote Desktop window for WKST1

11. Return to the AMP for Endpoints console on the Jumphost machine. You will now review the events generated by the
WKST1 machine.

12. Click the Analysis menu and select the Detections / Quarantine menu item.

13. Expand the event entry for WKST1 showing the detection of NoSleepyTime.exe by clicking the plus symbol. Notice
AMP for Endpoints detected this as a Simple_Custom_Detection. Also notice that the event shows Quarantine: Not

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 137 of 325
 Cisco dCloud

Seen. This is due to the connector being in an audit mode policy. AMP for Endpoints shows the detection but does not
block the file from executing or quarantine the file.

dCloud: The Cisco Demo Cloud

14. You will now attempt to run the file from the WKST2 machine in protect mode.

15. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the WKST2
computer

16. You should automatically be logged onto the Wkst2 machine. You can verify that you are logged into the Wkst2 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

17. Close any open windows on WKST2.

18. Launch the File Explorer on WKST2 by double-clicking on the WKST2 shortcut on the desktop.

Note: If you do not see the file in the directory below, it is most likely due to it already being quarantined. This behavior is normal,
and you can continue in the lab.

19. Navigate to WKST2 Local Disk C:\Setup Files\NoSleepyTime directory. (Make sure you are on the Local Drive of
WKST2 and not on a remote mapped drive.)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 138 of 325
 Cisco dCloud

20. Double-click the NoSleepyTime.exe file to launch the application.

a. Possibility 1: File is missing or is does not execute when double-clicked: Depending on the timing of your lab
progress and your connector’s current behavior, the AMP for Endpoints Connector may have
dCloud:already discovered
The Cisco Demo Cloud

the file and initiated a quarantine action against it to remove it from the directory. If the file is missing, proceed
with the lab.

b. Possibility 2: File exists but executes normally and is not prevented: If your execution of NoSleepyTime.exe is
successful and you see the application notification screen (you should not see this), you may need to Sync the
Connector policy on WKST2 (Your connector has not learned of its policy assignment change yet). Due to the
nature of the lab environment, it is possible you are performing lab tasks faster than the updates are occurring.
To force a policy sync on WKST2, click on the “Cisco AMP for Endpoints Connector” tray icon near the clock in
the bottom right corner of the screen (you may need to show the hidden icons). Once the AMP Interface opens,
click Settings, then click the Sync Policy button. After the policy is Sync’d, attempt to run NoSleepyTime.exe
again. It should now fail.

c. Possibility 3: File executes normally and the Connector believes it is up to date: It is possible that the policy
assignment on the Group that contains WKST2 has not yet updated within the AMP cloud. If you look at the
computer in the console, you may see that the Group assignment is correct, but the Policy change has not yet
been applied to the Group.

We can validate that our Group is configured correctly via Management > Groups:

If this is the case, you must be patient and wait for the policy configuration to take place in the AMP cloud prior to
testing. You may choose to wait for a bit until the policy changes or move ahead with the lab as best you can at
this time and revisit the outcome later. Alternatively, you can attempt to modify the policy attached to the ABC –
Windows Compliance Protect group, then after saving the change, modify it back to the correct ABC – Windows
Compliance Protect Policy and save it again. Occasionally, this will speed up the transition. Do not forget that
you may need to Sync Policy on the WKST2 system after ensuring the correct configuration is ready in the AMP
cloud.

21. Close the Remote Desktop Connection to WKST2

22. Return to the AMP for Endpoints console running on the Jumphost machine

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 139 of 325
 Cisco dCloud

23. Click on the Analysis menu and select the Events menu item

24. Change the filter settings to show events from the Time Range = Day and from Group = ABC - Windows Compliance
Protect as shown below dCloud: The Cisco Demo Cloud

25. Expand the entry for WKST2 by clicking the plus symbol. Notice the event type is either Quarantine: Successful or
Executed: Malware depending on your testing outcome and timing of the actions taking place during your lab. (both
images are displayed below) The file was discovered by the connector and successfully quarantined due to the connector
being in protect mode.

Note: Quarantining a file removes it from the connector rather than just blocking the execution of the file.

26. You have successfully created a Simple Custom Detection for a hash that the AMP cloud had not already classified. All
machines in protect mode within our customer environment will now quarantine the file. All audit mode machines will
report on the detection.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 140 of 325
 Cisco dCloud

Scenario 11. Vulnerable Applications

AMP for Endpoints can detect certain applications that while not malicious, contain vulnerabilities that can be exploited by
dCloud: The
malware. These Vulnerable Applications are a security risk to the customer environment. Once they are detected by Cisco
AMPDemo
for Cloud
Endpoints, the Vulnerable Applications feature can be used to draw the customer’s attention to these issues, and even potentially
to block the execution of these vulnerable applications. You will now use AMP for Endpoints to see if there are any Vulnerable
Applications in your customer deployment, and then create an application block to prevent the applications from executing.

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

2. Click the Analysis menu and select the Vulnerable Software menu item.

3. The Vulnerable Software page appears and displays several applications identified in the customer environment as
having vulnerabilities. (Your list may vary from what is displayed below)

4. Expand an entry for the Oracle Java Platform. Notice that the console displays the number of vulnerabilities, the specific
CVE numbers, the groups that contain connectors that have observed the vulnerable application, the last computer the
file was observed on, as well as links to view additional data in the File Trajectory, Device Trajectory, and Events pages
within the console.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 141 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Click on one of the CVE entries to view the information about the vulnerability.

6. Return to the AMP for Endpoints Console Vulnerable Software tab in your browser

7. Click on the hash of the Java file to open a menu. Notice that the Disposition is Clean meaning that the file is not being
classified as malicious and will not be quarantined by AMP for Endpoints.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 142 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. From the file hash menu, select Outbreak Control, select Application Blocking, and select the ABC - Application
Block List menu item

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 143 of 325
 Cisco dCloud

9. There may not be any visual confirmation that the file has been added to the Block List entry. Mouse over the Application
Blocking menu again and you will see a check mark in the entry for ABC - Application Block List confirming it has been
added to the block list.
dCloud: The Cisco Demo Cloud

10. Repeat the previous steps for ALL the other entries shown in the Vulnerable Software list for Java. If there is only a single
Java entry in the list you may proceed with the lab. Do NOT perform the steps for Adobe Acrobat Reader at this time.

a. For each in the list, Click the file hash for the application, select Outbreak Control, select Application
Blocking, and select the ABC - Application Block List menu item

b. NOTE: If the popup menu goes off the bottom of your screen, while hovering the mouse over the menu option,
press the down-arrow on your keyboard to scroll downward. (only if necessary)

11. You will now view the settings of the ABC - Application Block List item.

12. Click the Outbreak Control menu, navigate to the APPLICATION CONTROL section, and select the Blocking menu
item.

13. The Application Control - Blocking screen appears with the entry for the ABC - Application Block List item on the
screen. All the policies and groups that utilize this block list are shown on the screen.

14. Click the Edit button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 144 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

Note: You will see that you can specify specific SHA-256 hashes, upload a file, or upload a file containing SHA-256 hashes to
block files. This is the same method used to specify files for Simple Custom Detections.

15. Verify that you see the entries for the files you added from the Vulnerable Applications screen in the block list’s Files
Included section. (your hashes may vary)

16. Click on the first of the file hashes. Note that you are able to see audit information about which user account added the
hash value. You are also able to delete the entry if needed. Do not delete the entry.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 145 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

17. You have verified your application block entries exist and have become familiar with where in the interface to administer
the entries for application blocking.

18. You will now test the behavior on the WKST1 computer in audit mode and the WKST2 computer in protect mode by
launching the applications that you just blocked.

19. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer

20. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

21. On the desktop of the WKST1 machine, close any open windows, then double-click on the Simple Calculator shortcut
to run the Marketing department’s critical application.

22. The Simple Calculator application appears on the screen. Perform some basic calculations to simulate use of the
application and then close the window.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 146 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

23. Close the Remote Desktop Connection to the WKST1 machine and return to the desktop of the Jumphost machine

24. Return to the AMP for Endpoints Console on the Jumphost machine

25. Click the Analysis > Events menu item.

26. When the Events dashboard appears, you will edit the filter settings to show the appropriate data.

27. Change the Time Range value to Day in order to show current events

28. Click the plus symbol in the Group filter setting and select the ABC - Windows Endpoint Audit as well as the ABC -
Windows Compliance Protect group to filter event data only for connectors that are members of those groups

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 147 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

29. There should be several event entries that appear on the screen that show that the connector detected the application
execution but did not block the execution. Notice the Event Type is Detected. Click on the entry for the Java process to
expand it.

a. If you do not have entries for wkst1, it is possible that your system had not pulled the policy updates yet. You can
return to the wkst1 system, sync the AMP policy, run the Calculator app again, and return to the console on the
Jumphost to see the events.

b. If you continue to not see the entries, it could be a delay in the AMP Cloud. Continue with the labs, and check in
on this later in the day or tomorrow and continue working.

30. The expanded details show the computer that the detection event was generated on, the current user account logged in
to the connector computer, and links to open up the Device Trajectory and Management windows for the computer as well
as the ability to initiate a scan against the computer if desired.

31. The WKST1 machine is in audit mode due to its group membership and policy configuration. The connector will report on
what would have happened if the machine was in protect mode but will not actually block the application.

32. You will now test the behavior of the WKST2 machine that is in protect mode due to it being a member of the ABC -
Compliance Protect group and review the event data in the console

33. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the WKST2
computer

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 148 of 325
 Cisco dCloud

34. You should automatically be logged onto the Wkst2 machine. You can verify that you are logged into the Wkst2 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.
dCloud: The Cisco Demo Cloud

35. On the desktop of the WKST2 machine, double-click on the Simple Calculator shortcut to run the Marketing
department’s critical application.

a. The application does not appear to execute, and no message is displayed.

b. If the application is not blocked, please verify that you have created an Application Block for the javaw.exe file
that is being executed by the Simple Calculator shortcut. There are several Java processes that may be
identified as vulnerable but the application runs from javaw.exe.

Note: The default policy configuration is to not show File Events in the AMP for Endpoints connector client interface. This is the
reason that no block message was displayed when the applications failed to launch. This can be changed in the Policy settings
under Advanced Settings > Client User Interface.

36. Close the Remote Desktop connection to WKST2 and return to the Jumphost machine to view the data in the AMP for
Endpoints console

37. Refresh the Event window in the AMP for Endpoints console to see the new events that should have occurred due to
attempting to launch the applications on the WKST2 machine. If you have closed the event window, please refer to the
earlier steps in the lab to open it again and apply the correct filter.

38. You should see events showing that the WKST2 machine actually blocked the execution of the Java files. Notice that the
event type is Blocked Exec now that the connector is actually blocking the execution rather than the Detected Exec
event type when the machine was in audit mode.

a. If you do not see the entries in the console, it could be a delay in AMP Cloud reporting. Check on this later today,
or tomorrow and continue working.

39. Expand the entry for one of the blocked events shown on the page and click the Device Trajectory link

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 149 of 325
 Cisco dCloud

40. The Device Trajectory page opens, showing the execution block events for the application symbolized by the red circles
(see the key at the bottom for symbols). Notice that the process is not being marked as malicious. This is shown by the
process being displayed in green rather than red.
dCloud: The Cisco Demo Cloud

41. You have successfully verified that you are able to block vulnerable applications from executing on machines in protect
mode without quarantining the files and that machines in audit mode are not affected by the block but still report on the
execution.

42. Your customer has requested that you change the client user interface settings to show file and network events on the
AMP for Endpoint connector user interface. You will now make the configuration changes required to show notifications in
the connector user interface.

43. Click the Management menu and select the Policies menu item

44. Expand the entry for the ABC - Windows Endpoint Protect policy.

a. Notice that this policy is in use by two groups, the ABC - Windows Endpoint Protect group (used for generic
windows workstation machines in protect mode) and the ABC - Windows Compliance Protect group (used for
machines that fall under compliance regulations such as PCI, HIPAA, or other polices). Modifying the policy
settings for this policy will affect all connectors in groups that use this policy. At this point in the lab, only the
WKST2 machine will be affected.

45. Click the Edit button

46. The policy settings page appears. Click the Advanced Settings menu, select the Client User Interface sub-menu, and
uncheck the following options:

a. Uncheck: Hide File Notifications

b. Uncheck: Hide Network Notifications

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 150 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

47. Click the Save button

Note: Notice that the informational icons next to the options change color when a non-default option is set. You can hover over the
information icon to determine what the default value for the setting was.

48. You will now connect to the WKST2 machine and test your user interface changes

49. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the WKST2
computer

50. You should automatically be logged onto the Wkst2 machine. You can verify that you are logged into the Wkst2 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 151 of 325
 Cisco dCloud

51. The connector will automatically update its policy settings over time. However, you want to force the update to happen
immediately, so you can perform your testing.

52. Click the notification area arrow in the bottom right of the screen next to the time/date to displaydCloud:
the system tray
The Cisco icons.
Demo Cloud

53. Double-click on the Cisco AMP for Endpoints icon that looks like a blue circle with white lines on it.

54. The Cisco AMP for Endpoints connector UI appears. Click the Settings button.

55. The Settings page appears. Click the Sync Policy button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 152 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

56. You are notified that the policy has been successfully updated. Click the OK button and close the settings menu and
close the Cisco AMP for Endpoints Client page.

57. Open the Simple Calculator application by double-clicking on the Simple Calculator shortcut on the desktop

58. You will now see the Process Blocked message in the lower right of the screen. Close any message and dialogs when
you have completed reviewing them.

59. You have successfully configured the client UI notifications to show when the connector takes a block action.

60. Close the remote connection to WKST2 and return to your AMP console on Jumphost.

Note: Each customer deployment may have different requirements for configuring the client UI. It is a best practice to ensure that
the customer understands the options available for end user notifications and that the settings that are desired in the customer
environment be tested and finalized during the initial deployment to ensure customer satisfaction. In some environments, it is not
desirable to have any notifications at all due to potential user confusion the impact it may have on new helpdesk tickets. In other
environments, it may be beneficial to ensure that the notifications are enabled so that it is easily determined whether AMP for
Endpoints was involved in a situation where an application or file is being blocked. Without the end user notification, application
issues may be blamed on the AMP connector when it actually has nothing to do with the problem that is occurring.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 153 of 325
 Cisco dCloud

END OF REQUIRED DAY 1 LABS

If you would like to continue to work on labs, you may, although it is not required.
dCloud: The Cisco Demo Cloud

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 154 of 325
 Cisco dCloud

Scenario 12. Generating Whitelist Hashes

Many organizations deploy both servers and workstation devices based on some type of source “master image.” This allows the
company to make all needed changes and install all required software in the image, and then deploy productiondCloud:end user Demo Cloud
The Cisco
machines from this master image such that they are all standardized and have consistent configuration settings. There are various
methods of implementing imaging in environments. Generating a whitelist of hashes from critical portions of a master image can
help ensure AMP for Endpoints will not block critical or custom applications. The paths involved in this process can be different
from customer to customer. The steps here are examples for this given environment but may need to be changed within other
production environments.

Your customer, the ABC Company, uses imaging technology to deploy all workstations. The WKST3 machine is being used as
their master image. They have asked you to ensure that no applications already installed in the image will be blocked by AMP for
Endpoints. The customer imaging team has stated that all applications and custom executable files are located in the following
paths:
• C:\ProgramData
• C:\Program Files
• C:\Program Files (x86)

Additionally, your customer has some other critical files that execute from a network path that they also require to be whitelisted.
You will generate a list of hashes from the network location as well as the files on the master image in order to upload these to
AMP for Endpoints, so they can be whitelisted. The MD5Deep utility and its associated files will be used to generate SHA-256
hashes of all required files.

Network Application Share

Your customer has a critical application that runs from a network drive. They have asked you to ensure that the contents of this
location are whitelisted, so they will not be blocked. You will now use sha256deep64 (part of the md5deep utility suite) to generate
the hashes for the files.

1. Ensure you are logged in to the Jumphost workstation.

2. Right-click on the Start button in the lower left of the screen and select the Command Prompt (Admin) item.

3. If prompted by the User Account Control window, click the Yes button to allow the program to make changes.

4. Change directory to the location of the MD5Deep utility by typing the command cd “c:\setup files\md5deep” and
pressing Enter.

5. The hashing utility does not accept network UNC paths, so you will create a mapped network drive to the files on
\\ad1\apps to access the files via command line:

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 155 of 325
 Cisco dCloud

a. Run the command:

i. net use M: \\ad1\apps

dCloud: The Cisco Demo Cloud

b. Run the command:

i. sha256deep64.exe -r m:\ > appsharehashes.txt

Note: The -r parameter of sha256deep64.exe instructs the tool to move recursively through the specified path and hash all files in
that path and all files in all subdirectories of the path. The greater than arrow, >, is used to capture the output of the command to a
file that can then be uploaded to the AMP for Endpoints console.

c. When the command finishes and the prompt returns (it may take a few minutes), type the command:

i. notepad.exe appsharehashes.txt

6. The results of the hashing process are displayed in the text file. You will now upload the file to the Whitelisting object you
created earlier to whitelist these files for your customer.

7. Close notepad.exe

8. Open the AMP for Endpoints console.

9. Click the Outbreak Control menu and select the APPLICATION CONTROL > Whitelisting menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 156 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. Click the Edit button on the ABC - Application Whitelist item.

11. Click the link for Upload Set of SHA-256s

12. Click the Browse button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 157 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

13. When prompted for the file to upload, navigate to the C:\Setup Files\md5deep directory and choose the
appsharehashes.txt file. Click the Open button once you have selected the correct file.

14. In the Note field, type Network App Share and click the Upload button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 158 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

15. You will receive a message that the contents of the uploaded file will be processed in the background. It could take a little
while for the hashes to appear. Continue to work in the labs and check back on this later today or tomorrow.

16. Click the Edit button on the ABC - Application Whitelist item.

17. Notice that now all the file hashes contained in the file you uploaded have been added to the whitelist. (If they are not
here yet, wait a few minutes and refresh the page. Depending on the time of day and load on the AMP cloud, it is possible
that this takes a bit of time. Feel free to continue with the labs and check on this later today or tomorrow.)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 159 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

You have successfully created the hash list for the customer’s custom network application share and added those hashes to the
whitelist, so they will not be blocked even if they have a malicious disposition in the cloud.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 160 of 325
 Cisco dCloud

Master Image Hashing

You will now connect to your customer’s workstation that is the master image for deploying their endpoints.dCloud:
You have been given
The Cisco Demo Cloud
the paths of all the application installs by the imaging team. You will create hash lists for the relevant paths and add them to the
whitelist.

1. Ensure you are logged in to the Jumphost workstation.

2. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst3
computer.

3. You should automatically be logged onto the Wkst3 machine. You can verify that you are logged into the Wkst3 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

4. Right-click on the Start button in the lower left of the screen and select the Command Prompt (Admin) item.

5. If prompted by the User Account Control window, click the Yes button to allow the program to make changes.

6. Change directory to the location of the MD5Deep utility by typing the command cd “c:\setup files\md5deep” and press
Enter.

7. Run the command sha256deep64.exe -r -e "c:\ProgramData" >master-programdata.txt

a. You may get some denies in specific areas, such as Windows Defender. This is ok and expected.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 161 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

b. Once the command finishes and the prompt returns, continue with the next command.

8. Run the command sha256deep64.exe -r -e "c:\Program Files" > master-programfiles.txt

a. Once the command finishes and the prompt returns, continue with the next command.

9. Run the command sha256deep64.exe -r -e "c:\Program Files (x86)" > master-programfilesx86.txt

10. Once the command completes, open File Explorer, navigate to the C:\Setup Files\md5deep folder, right-click on the 3
text files you just generated and select the Edit with Notepad++ menu item.

11. Review the contents of the files. Notice the sha256 hash as well as the file path exists for each entry.

12. Close Notepad++ after briefly reviewing the file contents.

13. Close the remote desktop connection to wkst3 and return to the Jumphost machine.

14. Open the AMP for Endpoints Console, click the Outbreak Control menu, and select the APPLICATION CONTROL >
Whitelisting menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 162 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

15. Click the Edit button on the ABC - Application Whitelist item.

16. Click on the link for Upload Set of SHA-256s.

17. Click the Browse button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 163 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

Note: The Jumphost machine has mapped network drives to the other computers in the lab so files can be transferred. In the next
step you are accessing files on the WKST3 machine that you generated the hashes on.

18. Navigate to the path Q:\Setup Files\md5deep when prompted for what file to upload, select the master-programdata.txt
file, and click the Open button.

19. In the Note field type Master Image - ProgramData and click the Upload button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 164 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

20. The console displays that it is processing the contents of the file in the background. Click the Edit button to upload
another file.

21. Click on the link for Upload Set of SHA-256s.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 165 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Click the Browse button.

23. Navigate to the path Q:\Setup Files\md5deep when prompted for what file to upload, select the master-programfiles.txt
file, and click the Open button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 166 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

24. In the Note field type Master Image - ProgramFiles and click the Upload button.

25. The console displays that it is processing the contents of the file in the background. Click the Edit button to upload
another file.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 167 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

26. Click on the link for Upload Set of SHA-256s.

27. Click the Browse button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 168 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

28. Navigate to the path Q:\Setup Files\md5deep when prompted for what file to upload, select the master-
programfilesx86.txt file, and click the Open button.

29. In the Note field type Master Image - ProgramFilesx86 and click the Upload button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 169 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

30. The console will process the contents in the background.

31. Wait a short (or possibly long, depending on the current AMP cloud load) period of time and refresh the page to view the
new file count in the whitelist.

a. If this is taking a long time to update, you can return later today or tomorrow to check on the progress.

Note: The number of files may not be exactly that shown in the screenshot of the lab. This is normal, and you may proceed.

You have successfully ensured that the custom network application files and specific portions of the customer’s master image are
in the whitelist. None of these files will be blocked even if they are assigned a malicious disposition. There are several utilities that
have a malicious disposition in the cloud due to being used for nefarious purposes but that are also used by valid and benign
software applications. Creating hash lists like you did in the previous scenario can ensure these apps are approved in the
beginning of a deployment so you don’t have to troubleshoot after connectors are deployed. It is important to ensure that the files
on the master image are pristine and that no actual malware exists as the effects of whitelisting malware on a master image could
be highly detrimental. AMP for Endpoints does not allow a file size over 20MB to be uploaded with hash data.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 170 of 325
 Cisco dCloud

Scenario 13. Advanced Custom Detections

Advanced Custom Detections can be used to identify malware when the hash alone is not enough. Simple Custom Detections only
utilize the hash of a file, if the hash changes then the SCD will not match. ACD’s can be created to look fordCloud: The Ciscobesides
other values Demo Cloud

the hash. You will utilize the centos Linux machine to assist with created the ACD in the lab. In production, you should use a
dedicated machine that is segmented from the network when dealing with and analyzing potentially malicious files.

In this scenario, we will be using “fake” malware. This is a lab requirement due to the fact that AMP would quarantine any known
malware by default and the lab would not function properly. The files in use in the lab are meant to simulate a potential threat that
has not yet been given a disposition by AMP.

There are many ways to analyze files. The methods used in the lab can be helpful in a real deployment but may need to change
based on the circumstance and the type of file being analyzed. The steps in the lab should be used as an example for a given
situation rather than a specific procedure in every case.

You will be creating two types of Advanced Custom Detections. One will be using characteristics contained in the PE header of a
binary file to match on files that are similar but have different hashes. The second ACD you will create will be based on a string
value contained inside of a file.

ACD Creation Prep Work

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation

2. The centos Linux Server must be running an audit mode policy before continuing. We will now place the centos connector
in the ABC - Linux Servers Audit group before continuing with this lab:

a. Click Management > Computers

b. Check the box for the centos system

c. Click Move to Group

d. Select ABC - Linux Server Audit from the Select Group drop-down

e. Click the Move button

3. The Centos Linux system should be in Audit mode, but the connector may not receive the policy update before you
transfer the files. You will run a manual policy sync shortly

4. You will now generate additional files on the Jumphost machine in order to use with the ClamAV signature creation
process.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 171 of 325
 Cisco dCloud

a. Open File Explorer on the Jumphost machine and navigate to the Local Disk directory C:\Setup
Files\NoSleepyTime

dCloud: The Cisco Demo Cloud

b. Rename the NoSleepyTime.exe file to NoSleepyTime1.exe by right-clicking on the file, selecting the Rename
menu item, typing the new name, and hitting Enter.

c. Navigate to the “C:\Setup Files\NoSleepyTime\Construction” directory in the File Explorer window.

d. Double-click on the DataGen.bat file to execute the script that will generate another executable with a unique
hash.

e. Wait for the batch file to finish and prompt you to continue. Press the Enter key to continue and close the batch
file screen.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 172 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

f. Using the File Explorer window on the screen, navigate to the “C:\Setup Files\NoSleepyTime” directory. You
should now see a file in that location named NoSleepyTime.exe

g. Rename the NoSleepyTime.exe file to NoSleepyTime2.exe.

h. Navigate to the “C:\Setup Files\NoSleepyTime\Construction” directory in the File Explorer window.

i. Double-click on the DataGen.bat file to execute the script that will generate a third executable with a unique
hash.

j. Wait for the batch file to finish and prompt you to continue. Press the Enter key to continue and close the batch
file screen.

k. Using the File Explorer window on the screen, navigate to the “C:\Setup Files\NoSleepyTime” directory. You
should now see a file in that location named NoSleepyTime.exe

l. Rename the NoSleepyTime.exe file to NoSleepyTime3.exe.

5. You now have three files with unique hashes but perform the same tasks. The Simple Custom Detection entry you added
for the NoSleepyTime.exe file earlier was based on its specific hash value. Only the NoSleepyTime1.exe file will match on
the SCD entry (since that is the file we originally renamed). The other two files will not be blocked even though they
perform the same function. You will now transfer these files to a machine to analyze them, so you can write a ClamAV
signature

6. Open the PuTTY application on the Jumphost by double-clicking on the shortcut located on the desktop.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 173 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

7. The Putty screen will now appear

8. Click the Logging menu on the top left in the Category pane and enter the following values

a. Session Logging: All session output

b. Log file name: C:\Setup Files\putty.log

c. What to do if the log file already exists: Always overwrite it

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 174 of 325
 Cisco dCloud

9. Click the Session menu on the top left in the Category pane and enter the following values:

a. Host name: 198.18.134.50

dCloud: The Cisco Demo Cloud
b. Port: 22

c. Connection type: SSH

10. Click Open

11. When prompted for the user name and password, use the following values:

a. Login as: root

b. Password: C1sco12345

12. Type the command /opt/cisco/amp/bin/ampcli sync and press Enter.

13. The policy is now synced so the connector understands it is in audit mode.

14. Leave the Putty SSH window open. You will return to the window later in the lab.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 175 of 325
 Cisco dCloud

15. You will now utilize WinSCP to transfer the files to the Linux server so the ClamAV signatures can be created. Open the
WinSCP application using the shortcut on the desktop of the Jumphost machine.

a. If prompted to upgrade, simply click Close. dCloud: The Cisco Demo Cloud

16. The Login window for WinSCP will now appear.

17. Configure the fields of the Login screen as shown below:

a. File protocol: SCP

b. Host name: 198.18.134.50

c. Port number: 22

d. User name: root

e. Password: C1sco12345

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 176 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

18. Click the Login button

19. If presented with a Warning screen referring to the SSH key fingerprint, click the Yes button to proceed.

20. You will now transfer the required files needed for both the PE header ACD and the string value ACD scenarios.

21. Double-click on the clamavsigs folder on the right window pane to enter the directory on the centos machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 177 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Select the badbos.rtf file in the Documents directory on the left window pane, right-click on the file, and choose the
Upload menu option.

23. Click the OK button to begin the transfer.

24. Ensure the file is in the /root/clamavsigs directory on the right window pane before proceeding.

25. You will now transfer the three NoSleepyTime files you created earlier. Navigate to the C:\Setup Files\NoSleepyTime
directory in the left window pane of the WinSCP application.

a. You can use the up-arrow folder to navigate towards the root of C: until you locate the Setup Files folder in the
left window pane.

26. Upload the three NoSleepyTime*.exe files to the /root/clamavsigs directory again by selecting all three files, right-
clicking the files, and choosing the Upload menu option.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 178 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

27. Click the OK button to begin the transfer.

28. You should now see all the required files in the /root/clamavsigs folder.

29. Return to the Putty SSH window.

30. You will now prepare clamAV on the centos machine.

Note: In a production deployment, you should use a dedicated machine that is segmented from the rest of the network for any type
of potential malware analysis activity. The centos machine is being used in this lab for the purposes of completing the lab. In a
customer environment, you would not use a standard production machine for this purpose.

31. In order to updated the ClamAV signatures, Type the command sudo freshclam -v and press Enter

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 179 of 325
 Cisco dCloud

a. You may see some errors along the way, this is normal. Let the process complete.
dCloud: The Cisco Demo Cloud
32. Once the signature update completes, Type the command cd /root/clamavsigs/ and press Enter.

33. We can now analyze the files provided to you by the customer within this environment.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 180 of 325
 Cisco dCloud

ACD PE Header Signature Creation

You will be using ClamAV and other utilities to obtain additional information about the NoSleepyTime files. dCloud:
The information learned
The Cisco Demo Cloud
can be used in creating the ClamAV signatures that will then be uploaded as an Advanced Custom Detection.

1. Ensure you are logged in to the centos machine via Putty from the Jumphost workstation.

2. Type the command clamscan --debug NoSleepyTime1.exe and press Enter.

3. A large amount of text will output to the screen. Once the command is finished, you will see a SCAN SUMMARY message
appear.

a. Ensure that Scanned Files: 1 is present in the SCAN SUMMARY or your Centos system may still be in Protect
mode and may have quarantined the file upon execution due to the SCD that is present in the policy.

i. If Scanned Files = 0, you may need to ‘sync’ your linux client to ensure it is instructed to be in
Audit mode, as well as you will need to return to the WinSCP window and again Upload
NoSleepyTime1.exe to the centos system. Once the file is back in place, re-run the clamscan
command. If you continue to have the issue, double check your current policy (it should be
Audit).

b. Notice that since we used the built-in ClamAV signatures, and this file is not seen as a virus, Infected Files = 0.

4. Open the Putty output log file C:\Setup Files\putty.log with the Notepad++ application by using the Notepad++ shortcut
on the Jumphost system and opening the file at C:\Setup Files\putty.log.

5. There are thousands of lines of output from the debug command. You do not have to review all the data in the log file.
Attempt to find some of the following entries in the file: (you can press CTRL+F to search the open document)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 181 of 325
 Cisco dCloud

a. LibClamAV debug: Matched signature for file type PE

b. LibClamAV debug: Matched signature for file type AUTOIT

dCloud: The Cisco Demo Cloud
c. LibClamAV debug: autoit: magic string '>>>AUTOIT SCRIPT<<<'

d. LibClamAV debug: autoit: original filename

e. LibClamAV debug: autoit: magic string 'C:\Setup Files\NoSleepyTime\Construction\randomdata.txt'

6. Close Notepad++

7. In the Putty SSH window, Type the command strings NoSleepyTime1.exe and press Enter. This will output all text
strings contained in the file. This can be useful in certain circumstances when attempting to gather more information about
files.

8. Briefly review the output from the strings command by scrolling back in the SSH window and then proceed with the lab. In
this instance, you will not utilize any of the output from the strings command.

9. Type the command ./PESectionExtractor.pl NoSleepyTime1.exe and press Enter.

10. The PE (portable executable) sections of the file are exported to dat files in the current directory.

11. Type ls and press Enter to see that the PE Header Section *.dat files were created

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 182 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

12. Type the command sigtool --mdb *.dat > ABC-SigDB01.mdb and press Enter

13. Type the command clamscan -d ABC-SigDB01.mdb NoSleepyTime1.exe and press Enter

14. Using the signature database (mdb file) you created from the PE headers, the NoSleepyTime1.exe file is now being
detected as a virus (Infected Files: 1). You will now check the other two instances of the file that each have unique
hashes.

15. Type the command clamscan -d ABC-SigDB01.mdb NoSleepyTime2.exe and press Enter. The second file is detected
as well (Infected Files: 1) even though it too has a different hash.

16. Type the command clamscan -d ABC-SigDB01.mdb NoSleepyTime3.exe and press Enter. The third file is detected
even though it has a different hash as expected.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 183 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

17. You will now view the contents of the signature file you have created so the data can be entered into the AMP for
endpoints console.

18. Type the command cat ABC-SigDB01.mdb and press Enter. The contents of the ClamAV signature file are displayed.
Leave the Putty window open.

a. If your putty window is wrapping lines to a second line, you can widen or full screen your putty screen and re-run
your last command.

19. Return to the AMP for Endpoints console, click the Outbreak Control menu, and select the CUSTOM DETECTIONS >
Advanced menu item

20. Click the Create Signature Set button on the Custom Detections - Advanced page.

21. In the Name field, type ABC - Advanced Quarantine List, and click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 184 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Click the Edit button on the ABC - Advanced Quarantine List signature set.

23. Click the Add Signature button.

24. The Add Signature window appears prompting for the value to add. Using the following steps, you will now copy each line
from the MDB file on the Linux server and add a signature value for each line in the MDB file.

a. Leave the Type field as Auto detect.

b. Return to the Putty window and copy the first line of text shown. Be sure to get the entire entry as it may wrap to
the next line (do not grab any trailing whitespace beyond the end of the line).

i. To copy text in a Putty window, simply highlight the line with your mouse. Upon releasing the mouse
button, the text is automatically copied to your clipboard.

c. Paste the text into the Signature field on the AMP for Endpoints console window and click the Add Signature
button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 185 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

d. The first signature entry is added.

25. Click the Add Signature button to add the second entry.

a. Return to the Putty window and copy the second line of text shown.

b. Paste the text into the Signature field on the AMP for Endpoints console window and click the Add Signature
button.

26. The signature is added. Click the Add Signature button to add the third entry.

27. Repeat the procedure until all 5 lines of the ABC-SigDB01.mdb file have been added as individual signatures as shown
below.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 186 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

28. Once all 5 entries are added as signatures, click the Build Database From Signature Set button.

29. You should receive a browser pop-up window stating that Your signature was successfully built. Click the OK button.

30. You have successfully created the ACD, but it is not currently associated with any policies. None of the customer’s
connectors will actually use the ACD until it is associated with a policy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 187 of 325
 Cisco dCloud

ACD PE Header Signature Testing

You will now edit the ABC - Windows Endpoint Audit and ABC - Windows Endpoint Protect policies to associate the ACD with them
dCloud: The Cisco Demo Cloud

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost workstation.

2. Click the Management menu and select the Policies menu item.

3. Expand the entry for the ABC - Windows Endpoint Audit policy and click the Edit button.

4. Click the Outbreak Control menu.

5. In the Custom Detections - Advanced section click the drop-down menu and select the ABC - Advanced Quarantine
List entry.

6. Click the Save button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 188 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

7. On the Policies page, expand the entry for the ABC - Windows Endpoint Protect policy and click the Edit button.

8. Click the Outbreak Control menu.

9. In the Custom Detections - Advanced section click the drop-down menu and select the ABC - Advanced Quarantine List
entry.

10. Click the Save button.

11. You will now generate a new instance of the NoSleepyTime.exe file with a unique hash to test if the ACD detects and
quarantines the file even with the hash being different yet again.

12. Open File Explorer on the Jumphost workstation by double-clicking the JUMPHOST shortcut on the desktop

13. Navigate to the Local Disk “C:\Setup Files\NoSleepyTime\Construction” directory

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 189 of 325
 Cisco dCloud

14. Double-click on the DataGen.bat file to execute the script that will generate an executable file with an unknown
disposition to be used in the lab. You have already created an SCD earlier that is matching based on a unique hash. After
generating a new file, the hash will no longer match the SCD. You will be testing to see if the signature you made with the
dCloud: The Cisco Demo Cloud
ACD will work based on characteristics of the file even if the files are not exactly the same.

15. Wait for the batch file to finish and prompt you to continue. Press the Enter key to continue and close the batch file
screen.

16. Using the File Explorer window on the screen, navigate to the “C:\Setup Files\NoSleepyTime” directory. You should now
see a file in that location named NoSleepyTime.exe along with the previous iterations of the file you generated. The new
instance of the file has already been copied to the WKST1 and WKST2 machines.

44. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 190 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

45. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

17. You will now ensure that the connector has the latest policy updates by opening the connector user interface and forcing
a policy update.

18. Click the taskbar icon arrow in the lower right corner of the screen in the system tray and double-click on the Cisco
AMP for Endpoints icon (blue circle).

19. Click the Settings button.

20. Click the Sync Policy button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 191 of 325
 Cisco dCloud

21. You may receive a message that notifies you that the policy is already up to date or that the policydCloud: The Cisco Demo Cloud
was updated
successfully depending on the timing of the connector’s communication to the AMP cloud.

22. Close the connector user interface window.

23. Launch the File Explorer on WKST1 by double-clicking on the WKST1 shortcut on the desktop.

24. Navigate to the Local Disk C:\Setup Files\NoSleepyTime directory and double-click the NoSleepyTime.exe file to
launch the application.

25. You are presented with a notification from the file being launched. Click the OK button to close. The file was allowed to
execute even though quarantine was expected due to the WKST1 machine being in audit mode.

26. Terminate the NoSleepyTime.exe process on WKST1

a. Open an administrative command prompt by right-clicking the Start menu and selecting Command Prompt
(admin). Click Yes to allow it to run.

b. Then, run the command: taskkill /im nosleepytime.exe /f

27. Close the Remote Desktop window for WKST1 and return to the AMP for Endpoints console on the Jumphost machine.
You will now review the events generated by the WKST1 machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 192 of 325
 Cisco dCloud

28. Click the Analysis > Detections / Quarantine menu item.

29. Expand the event for the WKST1 machine. Notice that the NoSleepyTime.exe was detected but not quarantined due to
the connector being in audit mode. dCloud: The Cisco Demo Cloud

30. Click the file hash next to Fingerprint (SHA-256). Notice that the Disposition is Unknown but that the connector is still
detecting the file through the ACD you created and not through the Simple Custom Detection rule that uses only the hash
of the previous file instance.

31. From the Jumphost system, connect to WKST2

32. Using the AMP for Endpoint Connector client interface on wkst2, Sync the policy for this connector.

33. Once the policy is Sync’d, navigate to C:\Setup Files\NoSleepyTime\ and double-click NoSleepyTime.exe.

a. You may need to try more than once if you are working through the lab very quickly. Shortly after the Sync
request occurs, this system will learn about the new ACD configuration and quarantine the file.

34. Close the wkst2 connection.

35. Review the events to find the event for the WKST2 machine. Notice that the event type is Quarantine Successful, and that
it used Clam and not Simple_Custom_Detection.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 193 of 325
 Cisco dCloud

ACD String Value Signature Creation

Your customer has provided you with a suspect document and they would like you to use an Advanced Custom Detection to detect
dCloud: The Cisco Demo Cloud
and prevent it within the ABC company’s systems. You have performed some preliminary research on the suspicious file and have
determined that there is a text string associated with this particular malware. You will now create an ACD based on that string to
identify files that are related to the malware.

1. Return to the Putty SSH session with the centos Linux server.

2. Type clear to and press Enter to clear the SSH screen.

3. Type the command strings badbos.rtf | grep "Ad V1ct0r1am" and press Enter.

4. It appears that the identifying text string is present in the file. You will now analyze the file in a hex editor to obtain the hex
value for the string and view the contents of the file.

5. On the desktop of the Jumphost machine, double-click the HxD shortcut to launch the hex editor program.

6. Click the File menu and select the Open menu item.

7. Navigate to the Documents folder by selecting the Libraries folder on the left and then double-click on the Documents
folder.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 194 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. Select the badbos.rtf file and click the Open button.

9. The contents of the file appear in string value on the right of the screen and in hex on the left side of the screen.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 195 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. You will now search for the string in the file. Click the Search menu and select the Find menu item.

11. In the Search for field enter the text Ad V1ct0r1am and click the OK button.

12. The string is found in the file and the associated hex value is shown as being 41642056316374307231616D

13. Right-click on the hex value currently selected and click on the Copy menu item to copy the hex value to the clipboard.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 196 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

14. Return to the Putty SSH session window for the centos Linus server machine.

15. Type the command nano ABC-badbossig.ndb and press Enter.

Note: The name of the NDB file does not matter. It is just a temporary file used to contain the signature you are creating
before you enter the data on the AMP for Endpoints console.

16. In the Nano text editor window, type the string below

a. Trojan.Win32.ABC-Bad-File.A:0:*:41642056316374307231616D

b. You can paste the last portion of the text above as it is the hex output we just copied. You will need to remove
the spaces between each pair of numbers so the output matches the above when you are done.

c. Note: The format of the ndb file is Name:Type:Offset:HEX_OUTPUT

i. Name: The descriptive name you wish the threat to be detected as in the AMP for Endpoints console.

ii. Type: The type of file represented by one of the following numerical values

1. 0 = any file

2. 1 = Portable Executable (example: a Windows exe)

3. 2 = OLE2 component (example: a VBA script)

4. 3 = HTML

5. 4 = Mail file

6. 5 = Graphics

7. 6 = ELF

8. 7 = ASCII text file

iii. Offset: The position within the file to search for the hex string. Wildcards accepted.

iv. HEX_OUTPUT: The string value in hexadecimal format to search.

17. Once you have verified that the contents of the file are correct, press Ctrl+X to exit the file.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 197 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

18. When prompted to Save modified buffer press the Y key and then press Enter.

19. You will now test the signature file you just created against the badbos.rtf file to see if the signature matches.

20. Type the command clamscan -d ABC-badbossig.ndb badbos.rtf and press Enter.

21. The clamscan command returns with a match and the SCAN SUMMARY section displays Infected files: 1.

22. Your signature has matched successfully on initial testing. You will now create the ACD in the AMP for Endpoints console.

a. If your signature did not match and you got an error about a bad database file, recreate the file using the steps
above but making sure you type everything manually rather than using copy-paste.

23. Type the command cat ABC-badbossig.ndb and press Enter.

24. Copy the text Trojan.Win32.ABC-Bad-File.A:0:*:41642056316374307231616D from the Putty window to be used in the
AMP for Endpoints console.

a. Again, to copy text within a Putty window, just highlight the text and release the mouse button and it will
automatically be copied into your buffer.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 198 of 325
 Cisco dCloud

31. Return to the AMP for Endpoints console, click the Outbreak Control menu, and select the CUSTOM DETECTIONS >
Advanced menu item.

dCloud: The Cisco Demo Cloud

25. Click the Edit button on the ABC - Advanced Quarantine List entry.

26. Click the Add Signature button.

27. In the Signature field, paste the copied text from the output of the NDB file in the Putty window and click the Add
Signature button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 199 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

28. Click the Build Database From Signature Set button.

29. You should receive a browser pop-up window stating that Your signature was successfully built. Click the OK button.

30. You have successfully edited the ACD with the signature containing the identifying text string. You will now test your
changes to verify that files containing that string are detected correctly.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 200 of 325
 Cisco dCloud

ACD String Value Signature Testing

We can now validate the suspect file is detected properly based upon our latest customer Advanced Custom Detection signature
dCloud: The Cisco Demo Cloud
we have deployed to associated connectors.

1. First, we will copy the badbos.rtf file from the Jumphost machine to the WKST1 and WKST2 machines using the following
steps.

2. Open the File Explorer on the Jumphost machine by double-clicking the Jumphost shortcut on the desktop.

3. Navigate to the Documents folder and locate the badbos.rtf file.

4. Right-click the badbos.rtf file and select Copy

5. Navigate to the O:\Users\admin\Documents folder and right-click then select paste to paste the file here. Ensure you
see the file here before moving on.

6. Navigate to the P:\Users\admin\Documents folder and right-click then select paste to paste the file here. Ensure you
see the file here before moving on.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 201 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

7. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer.

8. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

36. You will now ensure that the connector has the latest policy updates by opening the connector user interface and forcing
a policy update.

37. Click the taskbar icon arrow in the lower right corner of the screen in the system tray and double-click on the Cisco
AMP for Endpoints icon (blue circle).

38. Click the Settings button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 202 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

39. Click the Sync Policy button.

40. You may receive a message that notifies you that the policy is already up to date or that the policy was updated
successfully depending on the timing of the connector’s communication to the AMP cloud.

41. Close the connector user interface window.

42. Launch the File Explorer on WKST1 by double-clicking on the WKST1 shortcut on the desktop.

43. Navigate to the Documents folder, right-click the badbos.rtf file, click the Cisco AMP for Endpoints menu, and select
the Scan Now menu item

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 203 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

44. Note the outcome and close the notification window.

45. You will now edit the badbos.rtf file and save the edited file to disk so that the hash of the file will be different.

46. Double-click the badbos.rtf file to open the file in MS Word. (This works because wkst1 is in Audit mode)

47. Type the current time and date on the first line of the file.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 204 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

48. Click the Save button and close the file.

49. Perform another scan on the file.

50. Close the Remote Desktop connection and return to the AMP for Endpoints console on the Jumphost machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 205 of 325
 Cisco dCloud

51. Click the Analysis menu and select the Events menu item.

dCloud: The Cisco Demo Cloud

52. There are several events related to the badbos.rtf file. Notice that both the WKST1 and WKST2 machines detected the
file and that WKST2 performed a quarantine action on the file.

a. If you do not yet have entries for WKST2, that policy has not Sync’d yet. This is ok, you may proceed.

53. Expand the oldest badbos.rtf detection event for the WKST1 machine (a few entries down the list of events). Notice the
hash of the file.

54. Expand the most recent detection event for the WKST1 machine for the badbos.rtf file. Compare the hash of the file in the
latest event after the save took place to the hash of the file in the first event.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 206 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

55. The hashes are different but the ACD signature you created is detecting the string within the file. You have successfully
detected the threat based on the content of the file.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 207 of 325
 Cisco dCloud

Scenario 14. Indications of Compromise (IOC)

Endpoint IOCs can be used to determine which machines have been compromised by looking at specific attributes of a machine.
dCloud:
Endpoint IOC is not a prevention tool but rather an incident response tool that is used to determine the scope Thecompromise
of the Cisco Demo Cloud

across an organization. You will utilize Endpoint IOCs by importing existing IOC definitions created by the security community, as
well as creating your own IOC. You will then scan the endpoints in your ABC company deployment for attributes defined in your
IOC’s to determine if any systems have been compromised.

Installing Pre-built IOC

Cisco, and the greater security community, have built many IOC that are available for installation on your AMP Console. We will
illustrate how to install these types of IOC at this time.

1. Ensure you are logged in to the AMP for Endpoints console on the Jumphost machine

2. Close all open applications except for your AMP console Chrome window.

3. Click the Outbreak Control menu and select the ENDPOINT IOC > Installed Endpoint IOCs menu item

4. The Installed Endpoints IOCs page appears and shows that no Endpoint IOCs have been uploaded to your AMP console.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 208 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. You will now upload a subset of IOCs that are provided as samples in the Cisco Endpoint IOC Attributes document.

a. Click the Upload button on the Installed Endpoint IOCs page.

Note: We have already downloaded the IOCs to the local machine. For real deployments, you can access the list of sample IOCs
at the following link, or by opening the online help in the AMP for Endpoints console and accessing Contents > Endpoint IOC
Scanner > Installed Endpoint IOCs > View and Edit

https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf .

b. The Upload Endpoint IOCs window appears prompting for the individual XML file or a ZIP containing multiple
XML files. Click the Browse button to select the ZIP file containing the IOCs.

c. Navigate to the JUMPHOST Local Disk C:\Setup Files\AMP4E IOC Bundle folder, select the AMP4E-IOC-
Bundle.zip file, and click the Open button

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 209 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

d. Click the Upload button to submit the ZIP file containing the IOCs

e. You will receive a message stating that the file has been uploaded successfully. It may take several minutes for
the uploaded IOCs to be extracted and display in the console.

6. In approximately 2-3 minutes, refresh the console screen to see the IOCs you just uploaded. Refresh the console
webpage as necessary.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 210 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

7. Click the plus symbol on the first IOC entry to view more details

8. Click the Edit button

9. Notice that you have the ability to edit details of the IOC and assign certain Categories, Groups, and even Keywords. You
also have the ability to edit the source of the IOC entry in XML format. Review the different options and click the Cancel
button to return to the Installed Endpoint IOCs page.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 211 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. You have successfully imported IOCs obtained from Cisco.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 212 of 325
 Cisco dCloud

Creating a Custom IOC

Sometimes, you need an IOC that does not exist yet. You will now create your own IOC based on a uniquedCloud:
set ofThe
parameters.
Cisco Demo Cloud

1. Your customer has provided you with IOC attributes they have obtained from a subscription threat intelligence feed. The
attributes you will define in the IOC are – please continue to the next step and you will be shown how to create the IOC in
later steps:

a. IOC Name: Fake Windows Update

b. Registry value name: Winupdtldr

c. Process name: winupdtldr.exe

2. Open the IOC editor application by double-clicking on the Mandiant IOCe shortcut on the desktop of the Jumphost
machine

3. When prompted to select the directory the program should use for IOCs, select the Downloads directory, and click the
OK button.

4. Click the File menu, select the New submenu, and select the Indicator menu item

5. Configure the following fields:

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 213 of 325
 Cisco dCloud

d. Name: ABC - Fake Windows Update

e. Author: AMP4E Lab

dCloud: The Cisco Demo Cloud
f. Description: IOC created for AMP4E lab exercise

6. Click the drop-down arrow on the Item button to open the list of attributes to add.

7. Navigate through the list to the RegistryItem menu and select the Registry Value Name object

8. The Registry Value Name item is added but has no value defined in it. Double-click on the entry to add a value.

9. After double-clicking you will have a text field to enter the data for the registry value name. Enter winupdtldr as the
value and hit Enter.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 214 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. The entry changes to match the value you just added

11. Ensure the Registry Value Name item (the entry you just added) is selected and add another entry by clicking the
drop-down arrow on the Item button, select the ProcessItem menu, and select the Process Name field item

a. You must click the down arrow next to the Item button to get the pop-up item selector to appear.

12. Type winupdtldr.exe in the value for the Process Name and hit Enter.

13. Once you have added the entries, verify your screen appears as the example below before continuing in the lab.

14. Save the IOC file by clicking the File menu and selecting the Save menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 215 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

15. Close the IOC editor application.

16. You will now upload the IOC you have just created to the AMP for Endpoints console.

17. Return to the AMP for Endpoints console and open the Outbreak Control > ENDPOINT IOC > Installed Endpoint IOCs
page.

18. Click the Upload button

19. Click the Browse button

20. Navigate to the Downloads directory, select the IOC file you just saved from the IOC editor, and click the Open button
(the name may be different, look for the latest modified file, or just select the IOC file entry that does not have tesla in the
name)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 216 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

21. Click the Upload button

22. The ABC - Fake Windows Update IOC entry is displayed on the screen.

Note: If your IOC entry is not marked as active, you may need to review the settings from your IOC file to ensure your settings are
valid. Review the previous steps in the lab and attempt to recreate the IOC file or make the necessary edits and try again. If your
entry is marked as Active, please proceed.

23. You have successfully created a custom IOC based on attributes provided by your customer.

Note: In order for the IOC flash scan to match the winupdtldr.exe process, that process must be running. For the purposes of the
lab only you will now ensure that the IOC scan finds a matching winupdtldr.exe process.

24. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 217 of 325
 Cisco dCloud

25. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.
dCloud: The Cisco Demo Cloud

27. Open an Admin Command Prompt on WKST1 by right-clicking the windows Start button and selecting Command
Prompt (Admin). Click Yes to allow.

26. Type the command copy c:\users\admin\Desktop\putty.exe c:\Windows_Updates and hit Enter

27. Type the command ren c:\Windows_Updates\putty.exe winupdtldr.exe and hit Enter

28. Type the command c:\Windows_Updates\winupdtldr.exe and hit Enter

29. The Putty application will now appears. Leave the Putty window open – do not close it. This is being used for the
purposes of the lab to have a process running that will match the IOC definition.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 218 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

30. Close the Remote Desktop window to WKST1 and return to the Jumphost machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 219 of 325
 Cisco dCloud

Scanning for Matching IOC

We will now initiate a scan for a specific computer (WKST1) to look for matching IOC within the customer environment.
dCloud: The Cisco Demo Cloud

1. In the AMP Console, click the Management > Computers menu item

2. Expand the wkst1 computer object, and click the Scan button

3. Select Endpoint IOC as the Scan Engine and leave the Scan Depth as Flash.

4. Click the Start Scan button. Then click the X to close the Run Scan window.

5. In the lab environment, we will force a policy update on the AMP connector to help it start the scan in a timely manner
although it can still take several minutes for the scan to start.

6. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 220 of 325
 Cisco dCloud

7. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.
dCloud: The Cisco Demo Cloud

8. At the bottom right corner of the screen of the WKST1 machine, click the taskbar icon arrow to show hidden system tray
icons. Double-click on the AMP for Endpoints blue circle icon to open the connector interface.

9. The connector interface appears. Click the Settings button.

10. Click the Sync Policy button

11. You will receive the notification that the policy settings are up to date. Click the OK button and remain on the Settings
screen.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 221 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

12. Click Close

13. You should eventually see the connector show that it is Scanning… (Occasionally, this process takes a bit of time to start
on the connector. Feel free to move on to lab 15 which will give the connector time to complete the scan, then return to
complete the remaining steps of lab 14 later today or tomorrow.)

14. Wait for the scan to complete. The button will then change from “Scanning…” to “Scan Now”.

15. You will be able to see the history for this AMP for Endpoints connector. Click the History button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 222 of 325
 Cisco dCloud

16. Select the entry on the right pane of the window for the Flash Scan that just completed. The details pane on the right of
the window will show information regarding the amount of total IOC objects that were scanned and the amount that were
detected. You will likely see 1 or 2 matching IOC objects depending on your configuration.
dCloud: The Cisco Demo Cloud

17. Click the Close button on the File History screen.

18. Close the Remote Desktop connection to the WKST1 machine and return to the AMP for Endpoints console on the
Jumphost machine.

19. Open Events by clicking the Analysis menu and selecting the Events menu item.

20. Change the event filter settings to show events from the Time Range of Day and the group ABC - Windows Endpoints
Audit.

21. Continue to apply filters by selecting the Endpoint IOC Events top-level item (which will include all sub-items) from the
Event Type drop-down

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 223 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Notice that there are several events generated by the WKST1 machine in reference to the IOC changes and scan.

23. Expand the entry for the Endpoint IOC Scan Detection Summary event. Notice that the event displays how many total
IOCs were scanned for and how many matched. The event also details the specific IOC that matched

24. Click the link for the ABC - Fake Windows Update IOC shown in the event. The summary of the IOC detection for the
wkst1 machine appears in a new Chrome tab.

25. Ensure the entry is expanded and view the matches below it. Remember that the IOC you created had registry entries in
it. Those are not shown below. The Flash Scan only matched the running process and file entries as they were the only
items active during the flash scan.

26. Click the Launch Device Trajectory button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 224 of 325
 Cisco dCloud

27. When the Device Trajectory tab loads, look for the entries showing the policy update and scan events. Click on each of
the policy update and scan events and review the data in the event. (If you do not see these events, scroll back in the
Device Trajectory timeline to the appropriate time.)
dCloud: The Cisco Demo Cloud

28. In the search field at the top of the page, enter in the name of the executable in the IOC, winupdtldr, to filter the events
on the Device Trajectory to only show those related to the executable.

29. Review the events shown on the device trajectory for informational purposes. It does not appear that there are any
malicious actions being taken by the file presently.

Note: In a production environment you could create a Simple Custom Detection to quarantine the file if active processes were
found in an IOC.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 225 of 325
 Cisco dCloud

Scenario 15. Troubleshooting

During the deployment of any technology solution there comes a time when the need to troubleshoot issues arises. You will now
dCloud: The Cisco
go through some of the troubleshooting scenarios that can help identify a potential issue with the AMP for Endpoints Demo Cloud
connector.
You will be verifying network connectivity, using the command line interface for the Linux connector, manually applying policy
updates to a connector, and troubleshooting potential performance issues.

Connector Network Connectivity

1. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer.

2. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

3. You should now be automatically logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1
machine by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop
will show the name of the machine currently logged into as shown below.

4. Right-click on the Start button in the lower left of the screen and select the Command Prompt (Admin) item. If
prompted by the User Account Control window, click the Yes button to allow the program to make changes.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 226 of 325
 Cisco dCloud

5. Change directory to the location of the AMP for Endpoints connector by typing the command cd “C:\Program
Files\Cisco\AMP\6.1.7” and press Enter. (Your installed version may vary, see the note below.)

dCloud: The Cisco Demo Cloud

Note: As AMP versions change, the path to the directory used in this lab will change as well. If you receive an error message
stating the path is invalid, open File Explorer and navigate to the C:\Program Files\Cisco\AMP directory and determine what the
correct version number is to type in during the previous command.

6. Type the command ConnectivityTool.exe and press Enter. Notice that the command returns a success.

7. You will now view the log file for the ConnectivityTool.exe command. Open File Explorer and navigate to the WKST1
Local Disk C:\Program Files\Cisco\AMP\6.1.7 directory (or appropriate version number).

8. Right-click on the ConnectivityTool.exe.log file and select the Edit with Notepad++ item.

9. Review the log file paying attention to items such as the following:

a. Fetching policy from https://

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 227 of 325
 Cisco dCloud

b. [pass] Connectivity check completed with no issues.

Note: If a proxy is in the path of the communication this output may be different. Specifically pay attention to the SSL
dCloud: The Cisco Demo Cloud
certificate message. If the certificate is not valid that may indicate that the HTTPS session is being intercepted by a proxy or
application layer firewall.

10. Go to the end of the log file and review the SUMMARY. This is an easy way to determine if any potential issues exist and
which part of the connector’s network communication process is having an issue as part of the troubleshooting process.

11. Close the Notepad++ application.

12. Close the command prompt window.

13. Close the File Explorer window.

14. Open Chrome and go to https://mgmt.amp.cisco.com/health

The Connectivity Tool can be helpful in diagnosing a potential network, firewall, or proxy issue in a customer environment. Using a
web browser to connect to the link in the previous step can also be a simple way to verify that the environment is permitting the
traffic and that there are no issues with the AMP cloud itself.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 228 of 325
 Cisco dCloud

Linux Connector Commands

The Linux connector utilizes a command line interface rather than a graphical user interface (GUI) to interact with the connector.
dCloud: The Cisco Demo Cloud
You may need to perform some of the same actions on a Linux connector via command line as you would perform on a Windows
computer via the connector GUI. You will now go through how to force a policy sync, get the connector’s current status, and review
other command line options.

1. Open the PuTTY application on the Jumphost by double-clicking on the shortcut located on the desktop.

2. The Putty screen will now appear.

3. Enter the following values and click the Open button to connect to the Linux server

a. Host name: 198.18.134.50

b. Port: 22

c. Connection type: SSH

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 229 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

4. When prompted for the user name and password, use the following values

a. Login as: root

b. Password: C1sco12345

5. Run the command /opt/cisco/amp/bin/ampcli

6. The AMP for Endpoints Connector Command Line Interface displays in interactive mode.

7. Type help and press Enter. Notice there are several commands that roughly match to the functionality of the Windows
connector GUI.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 230 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. Type status and press Enter.

9. You are shown the following data:

a. Status: Is the connector connected to the AMP cloud

b. Scan: Is a scan in process or is the connector ready for a scan

c. Last Scan: Time/date of the last on-demand or scheduled scan

d. Policy: What policy defined in the AMP for Endpoints console is controlling the settings for this connector

10. Type sync and press Enter. You have initiated a request for the agent to download its policy from the AMP cloud.

11. Type the command history list and press Enter. You are shown a list of local events for the connector. You may or may
not see similar events as shown below based on the activities on the connector. Review and proceed with the lab.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 231 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

12. Type the command scan help and press Enter. Notice that you have the ability to start a flash, full, or custom scan. You
can also control a scan that is already running.

13. Type q and press Enter to exit the ampcli.

14. Run the command ls /var/log/cisco/ -lh

15. This is the location of the AMP connector log files. You can view the contents by running the command cat
/var/log/cisco/ampdaemon.log

a. Review the contents of the log files and proceed when done.

16. Close the Putty application

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 232 of 325
 Cisco dCloud

Policy Updates
You will now go through the process of manually updating the policy of an AMP for Endpoints connector. During your deployments
dCloud: The Cisco Demo Cloud
you may run into a situation where the connector is unable to download a needed policy update and must have the policy change
loaded manually in isolated cases. This could be due agents being initially installed with incorrect proxy configuration in the policy
settings. This would cause all agents installed with the incorrect settings unable to talk to the AMP cloud even if the correct settings
were applied later. The updated policy configuration with the correct proxy values could be manually applied or the connector could
be uninstalled and reinstalled later with the correct settings. Additionally, there could be a machine that is currently offline for some
other reason that needs an urgent approval of a file or some other setting.

1. Ensure you are logged in to the AMP for Endpoints console on the Jumphost machine.

2. Click the Management menu and select the Policies menu item.

3. Expand the selection for the ABC - Windows Endpoints Audit policy by clicking the plus symbol

4. Take note of the Serial Number value (your serial number value number will be different than that shown in the
screenshot) and click the Edit button.

5. Change the description of the policy by adding a period or other character to the end of the description field.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 233 of 325
 Cisco dCloud

6. Click the Save button after making the description change.

dCloud: The Cisco Demo Cloud

7. Expand the entry for the ABC - Windows Endpoint Audit policy and review the Serial Number. Notice that it has
incremented.

8. Click the Download XML button.

9. The XML file is downloaded via Chrome to the Downloads folder and appears in the lower left corner of the browser
screen.

10. Click the up arrow to the right of the XML file download and select the Show in folder menu option.

11. The downloads folder appears with the XML policy file.

12. Right-click this file, and select Copy

13. Navigate to O:\Setup Files directory and right-click, then select paste to place a copy of this file here. This is a mapped
network drive that will place the XML policy file on the WKST1 computer.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 234 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

14. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst1
computer

15. You should automatically be logged onto the Wkst1 machine. You can verify that you are logged into the Wkst1 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

16. You will now stop the AMP for Endpoints Connector service.

17. Right-click the Start button in the lower left of the WKST1 desktop and select the Run menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 235 of 325
 Cisco dCloud

18. Type services.msc in the Open field and click the OK button.

dCloud: The Cisco Demo Cloud

19. The Services MMC console appears. Locate the Cisco AMP for Endpoints Connector <version> service, select the
service, and click the Stop (square) button at the top of the screen.

20. Open File Explorer and navigate to the Local Disk C:\Program files\Cisco\AMP directory.

21. Right-click on the policy.xml file in the directory and select the Edit with Notepad++ menu item.

22. Find the serial_number section in the file and note the value.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 236 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

23. Briefly review the contents of the file. You can find information dealing with policy details, exclusions, proxy configuration,
and other configuration values.

24. Close Notepad++.

25. Navigate to the c:\Setup Files directory.

26. Rename the XML policy file you downloaded earlier by right-clicking on the file and choosing the Rename menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 237 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

27. Type policy.xml and press Enter to rename the file.

28. Copy the policy.xml file you just renamed and paste it to the Local Disk C:\Program Files\Cisco\AMP directory path.

29. When prompted to replace the file, choose the Replace the file in the destination option.

30. If prompted for Administrator access, select Continue. (If you are denied a second time, please ensure that the service is
not running)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 238 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

31. Edit the policy.xml file with Notepad++ again and review the policy number.

32. Close Notepad++.

33. Using the Services MMC console, start the Cisco AMP for Endpoints Connector service by clicking the Start/Play
button on the top of the window (Green Arrow).

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 239 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

34. You will now verify the connector is able to connect to the AMP cloud after manually replacing its policy.xml file.

35. Click the notification area arrow in the bottom right of the screen next to the time/date to display the system tray icons.

36. Double-click on the Cisco AMP for Endpoints icon that looks like a blue circle with white lines on it.

37. The Cisco AMP for Endpoints connector UI appears, and the Status says Connected.

38. Close all open applications on WKST1.

39. Close the Remote Desktop connection to WKST1 and return to the Jumphost machine.

You have successfully updated a policy configuration file manually. While this is not something that would be a normal
administrative task, there may be special circumstances that prevent the connector from reaching the AMP cloud and manually
updating the policy config can be very beneficial.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 240 of 325
 Cisco dCloud

Performance
There are some applications that perform intensive reads and writes to the disk subsystem or perform a high number of process
dCloud: The Cisco Demo Cloud
launches. These applications can potentially cause AMP for Endpoints to use higher amounts of the computer’s resources as it
tries to scan the file writes and process executions. It can be beneficial to performance if certain data file locations are excluded
from the connector scanning that activity. Very few times do application support teams have the detailed technical knowledge of
how their application functions or where data is actually being written to in order to give you paths that would benefit from
exclusions. Determining what processes are performing read/write operations and in what paths is important so that appropriate
exclusions can be written to reduce performance impact on highly utilized systems. You will now troubleshoot the performance of a
database server in the customer environment.

Database Server

Your customer has received reports from an application support group that since the AMP for Endpoints connector was installed on
the machine, the application performance has suffered. They have agreed to assist you with reproducing the application behavior
that is negatively affected. You have been given a database script to run that reproduces the application behavior. You will now
utilize the Microsoft utility, Process Monitor, to determine what processes and paths are involved in data writes with the goal of
determining what exclusions should be written to help reduce the performance impact of the AMP for Endpoints connector on this
highly utilized server.

1. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Server1
computer

2. You should automatically be logged onto the Server1 machine. You can verify that you are logged into the Server1
machine by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop
will show the name of the machine currently logged into as shown below.

3. Close any open windows/applications currently open on Server1.

4. Open the Process Monitor application by double-clicking on the Process Monitor shortcut on the desktop of Server1.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 241 of 325
 Cisco dCloud

5. If you are prompted with a list of filter options. Click the OK button to accept the defaults and proceed.

dCloud: The Cisco Demo Cloud

6. The Process Monitor window appears and beings to capture data.

7. Click the registry button at the top of the screen to disable monitoring of registry activity. It should no longer have a
highlighted box around it after disabling it. (Left-most icon in the image below)

8. Leave the Process Monitor window running. Minimize the window to see the desktop of the Server1 machine.

9. Open the SSMS console by double-clicking on the Microsoft SQL Server Management Studio 17 shortcut on the
desktop.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 242 of 325
 Cisco dCloud

10. When prompted to connect to the SQL server, accept the default values as shown below and click the Connect button.

dCloud: The Cisco Demo Cloud

11. Expand the Databases folder by clicking the plus symbol in the Object Explorer pane on the left of the window.

12. Click to highlight the Weisshaupt database.

13. Once the Weisshaupt database has been highlighted, click the File menu, click Open, and select File.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 243 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

14. Navigate to the Local Disk C:\Setup Files directory, select the SqlQuery.sql file, and click the Open button.

15. The SQL query is loaded into the console. Click the Execute button to run the query.

16. The query may take several minutes to complete. You should see the status message of Executing query in the lower
left of the screen.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 244 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

17. When the query has finished you will see a status message stating the Query has finished successfully.

18. Return to the Process Monitor application that is already running

19. Stop the capture process by clicking the Capture button (magnifying glass icon at the top left of the Process Monitor
window).

20. Once the capture process has stopped you should see a red X over the magnifying glass icon. This symbolizes no data
being captured.

21. Briefly review the data on the Process Monitor screen. You will see detailed information for all file writes, process, and
network activity. Attempt to find entries related to SQL server (sqlservr.exe).

22. Click the Tools menu and select the File Summary menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 245 of 325
 Cisco dCloud

23. It may take several minutes for the summary to be generated. All file events monitored by the Process Monitor application
are now being analyzed. Wait until summary processing has completed before proceeding.

dCloud: The Cisco Demo Cloud

24. The File Summary screen appears showing how many instances there were of specific types of file behavior per file path
during the monitored time period.

25. Click on the Write Bytes column header to sort the entries by the amount of data written.

26. Notice that there are several entries for database related files as indicated by the MDF and LDF extensions.

a. Feel free to maximize the application and change column sizes within the application so you can see the data
necessary.

27. Click on the Writes column header to sort the entries by the amount of file write operations observed. You may see
entries related to the SQL Server Management Studio application and the database files that are in the path containing
Microsoft SQL Server.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 246 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

Note: Your data will not show exactly that of the screenshots in the lab document based on various factors. You should see data
relating to the MDF and LDF files generating large numbers of writes, bytes written, etc. If you do not see these entries, please
verify your lab steps.

28. Double-click the entry containing the Weishaupt.mdf file in the File Summary window. Leave the File Summary window
open while you perform the next few steps.

29. Return to the Process Monitor window. The data in the Process Monitor window is filtered to show activity for the path
you just selected from the File Summary window. You can see the process name is sqlservr.exe.

a. Resize this window as necessary.

30. Double-click on one of the entries in the process monitor window for sqlsrvr.exe.

31. The Event Properties window appears. Click on the Process tab.

32. The process details appear for the process that was writing the database files. You now see the path to the process that
was writing data.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 247 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

33. Close the Event Properties window.

34. Return to the File Summary window.

35. You can also view the file summary data by extension. Click the By Extension tab at the top of the window and sort by
writes.

Note: File writes initiated by applications can cause AMP for Endpoints to initiate a scan of the new or modified files. Applications
such as databases or similar apps that write large amounts of data, can potentially run into a performance issue due to the
scanning of the data files being written. Using a tool such as Process Monitor to determine the path can be helpful in resolving
performance issues.

a. You have been able to determine that SQL database files (MDF and LDF files in the list) have had a large
amount of data and a large number of write operations to the “C:\Program Files\Microsoft SQL
Server\MSSQL14.MSSQLSERVER\MSSQL\DATA\” folder.

b. You have also been able to determine that the process performing the file writes is “C:\Program
Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlservr.exe”

c. With these pieces of information, you are now able to create the exclusions required for this type of system to
prevent AMP for Endpoints from scanning the database files and database server process to improve with the
server’s performance.

36. Close the Process Monitor application.

37. Close the SQL Server management studio application.

38. You will now review the current exclusions being applied to Server1.

39. Open the AMP for Endpoints user interface on Server1 by double-clicking on the system tray icon.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 248 of 325
 Cisco dCloud

40. Click the Settings button.

dCloud: The Cisco Demo Cloud

41. The Settings screen appears. Scroll down until the Protection Exclusions section appears.

a. Briefly review the different exclusion categories. Depending on the settings you configured earlier in the lab for
exclusions, the exclusions for SQL data files and processes may not appear. You could also check the exclusion
settings in the AMP for Endpoints console by going to Management and then Exclusions.

42. Close the AMP for Endpoints UI on Server1.

43. Close the Remote Desktop Connection to Server1 and return to the Jumphost machine.

44. You will now add the exclusions necessary to prevent the AMP4E connector from scanning the database server paths.

45. Ensure you are logged into the AMP for Endpoints Console.

46. Select the Management menu and select the Exclusions menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 249 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

47. Click the + New Exclusion Set button

48. Select Windows and click Create.

49. Click the Trash Can icon next to every automatically added Exclusion in the new list until no entries remain.

50. You should now have a completely empty Exclusion set.

51. Enter a name of ABC – SQL Exclusions

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 250 of 325
 Cisco dCloud

52. Click the + Add Multiple Exclusions button

dCloud: The Cisco Demo Cloud

53. Enter the following exclusions. Make sure you only have a single entry per line.

a. .mdf

b. .ldf

c. *\Microsoft SQL Server\MSSQL*.MSSQLSERVER\MSSQL\Binn\sqlservr.exe

54. Click the Add Exclusions button. You should be presented with the 3 exclusions.

55. Click Save.

Note: Wildcards can be useful if entered carefully. Entering in exact drive letter paths runs the risk of not matching a process if
the application is installed to a different drive letter or directory. Applications that have several versions that use a version
number in the data file path (such as SQL Server) can also benefit from wildcards to have one exclusion work across multiple

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 251 of 325
 Cisco dCloud

versions as shown above. The above exclusion will work for any version of SQL Server on any drive letter whether it is in the
Program Files or Program Files (x86) or any other root directory that follows the standard SQL naming convention.

56. We now need to add this Exclusion set to our Servers Policies. dCloud: The Cisco Demo Cloud

57. Click Management > Policies

58. Expand the ABC – Windows Server Audit policy and click the Edit button

59. Click the Exclusions menu, then the Exclusions dropdown menu, then select the ABC – SQL Exclusions list
checkbox to add it.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 252 of 325
 Cisco dCloud

60. Click Save

61. Expand the ABC – Windows Server Protect policy and click the Edit button
dCloud: The Cisco Demo Cloud

62. Click the Exclusions menu, then the Exclusions dropdown menu, then select the ABC – SQL Exclusions list
checkbox to add it.

63. Click Save

64. Return to the Server1 remote desktop connection

65. Open the AMP Client UI, go to Settings, and click Sync Policy.

66. Scroll down to the Protection Exclusions Section in the Client UI.

67. Notice the File Extensions for LDF and MDF have been added as well as the Wildcard Exclusion for the sqlservr.exe
process.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 253 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

68. Close the Client UI.

69. Close the Server1 remote session.

It is important to give a high priority to potential performance issues raised by your customer. If the issue is not determined quickly
then the deployment of AMP for Endpoints could be delayed or brought to a halt. Using tools such as Process Monitor can assist in
showing where the data is being written. This in turn shows some potential exclusion paths for the highly active files and
processes. It can be beneficial to proactively do some performance testing on customer endpoints to determine if any data file
paths may need to be excluded.

Keep in mind that AMP is not protecting the paths that are excluded. Care should be taken when specifying exclusions or the
security that AMP for Endpoints provides can be rendered ineffective.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 254 of 325
 Cisco dCloud

Scenario 16. Uninstallation

During the course of an implementation you may find the need to remove the AMP for Endpoints connector from customer
dCloud:
machines. This may be due to a pilot group that needs to be decommissioned, a proof of value where the AMP forThe Cisco Democloud
Endpoints Cloud

console has expired or will expire soon, or it may be due to a troubleshooting scenario where it needs to be determined if the AMP
for Endpoints connector is causing an issue.

Windows Command Line Uninstall

There may be a requirement from the customer to be able to remove the connector via software distribution solutions or scripted
uninstall. There may be a need to silently uninstall the connector software for troubleshooting purposes or due to a pilot group/trial
that has ended. You will now go through the process of uninstalling the connector using a silent command line operation that can
be used for scripting.

1. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Server1
computer

2. You should automatically be logged onto the Server1 machine. You can verify that you are logged into the Server1
machine by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop
will show the name of the machine currently logged into as shown below.

3. Right-click on the Start button in the lower left corner of the screen and select the Command Prompt (Admin) item.

4. You will determine the path to the uninstallation executable file by looking in the registry.

Note: This registry path can be used by a customer’s software deployment team for inventory purposes (determining if a machine
has the AMP for Endpoints Connector installed or what version is installed for upgrades) as well as scripting an uninstall if needed.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 255 of 325
 Cisco dCloud

5. Type the command regedit and hit Enter.

dCloud: The Cisco Demo Cloud

6. Navigate to the following key of the registry and review the entries. Specifically take note of the QuietUninstallString
value that contains the path to the uninstall.exe file.

a. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Imm
unet Protect

Note: Your values may be different depending on the version of the connector in use at the time of your lab. Please change the
values shown based on version number if needed.

7. Return to the Command Prompt window and type the following command (for your installed connector version) then press
Enter:

a. "C:\Program Files\Cisco\AMP\6.1.7\uninstall.exe" /S /remove 1

b. The uninstall process does not display any windows based on the silent (/S) command line parameter and will
clean up all related files after a reboot based on the /remove 1 parameter.

8. Open File Explorer and navigate to the C:\ProgramData\Cisco\AMP directory (the directory is hidden, you may need to
type the path in the address bar of File Explorer).

9. Double-click on the immpro_install.log file and briefly review the contents. Find the start of the uninstall process and
where the service was successfully uninstalled (the removal process tries several times, so you may see a failure, this is
normal)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 256 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. Close the log file.

11. Return to the Command Prompt window, type the command services.msc, and press Enter.

12. In the Services window, ensure the Cisco AMP for Endpoints Connector service no longer appears. If the service is still in
the list the uninstall did not complete successfully, start at the beginning of the procedure and try again or review the log
data for further details.

13. Close the Remote Desktop Connection to Server1 and return to the Jumphost machine.

You have successfully uninstalled the connector via command line. You will now enable the connector protection feature and view
the difference on uninstalling the connector.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 257 of 325
 Cisco dCloud

Connector Protection
Connector Protection can prevent unauthorized users from removing the connector from endpoints. When dCloud:
implementing an
The Cisco Demo Cloud
endpoint security product, it is undesirable to have end users remove the security product and potentially enable them to violate
the customer’s IT policy standards. Enabling connector protection can help ensure that once the AMP for Endpoints connector is
deployed, that it remains deployed.

1. Ensure you are logged in to the AMP for Endpoints console from the Jumphost machine.

2. Click the Management menu and select the Policies menu item.

3. Expand the entry for the ABC - Windows Endpoint Protect policy by clicking the plus symbol.

4. Click the Edit button.

5. When the Edit Policy screen appears, click the Advanced Settings menu on the bottom left.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 258 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Ensure the Administrative Features sub-menu is selected.

7. Place a checkmark in the Enable Connector Protection option.

8. In the Connector Protection Password field enter C1sco12345 as the password and click the Save button.

9. Perform the same steps shown previously to enable Connector Protection for the ABC - Windows Endpoint Audit
policy with the same password before continuing.

a. Once Connector Protection has been enabled for the two policies you may proceed with the lab.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 259 of 325
 Cisco dCloud

10. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst2
computer

dCloud: The Cisco Demo Cloud

11. You should automatically be logged onto the Wkst2 machine. You can verify that you are logged into the Wkst2 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

12. Open the AMP for Endpoints user interface on the WKST2 machine.

13. Click the Settings button.

14. Click the Sync Policy button.

15. Click OK on any messages appear after the policy update.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 260 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

16. You will now test the Connector Protection feature to see how it interacts with attempts to stop the connector service and
perform uninstalls.

17. Right-click the Start button in the lower left of the WKST2 desktop and select the Run menu item.

18. Type services.msc in the Open field and click the OK button.

19. The Services MMC console appears. Locate the Cisco AMP for Endpoints Connector <version> service, select the
service, and click the Stop button at the top of the screen.

a. The service does not stop. Attempting to change the service configuration in any way is prevented. Leave the
Services console open.

20. Open the AMP for Endpoints user interface and click the Settings button.

21. Scroll down until you see the Cisco AMP Connector Settings section and expand that section.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 261 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Click the Stop Service button.

23. You receive an error stating the password entered does not match the password in the policy configuration. Click the OK
button.

24. In the Password field, type C1sco12345 and click the Stop Service button.

25. The service stops, and you are notified to start it again you must use the Windows Service Control Manager.

26. Return to the Services console window. Refresh the current service list by clicking Action and then Refresh. You will
see that the Cisco AMP for Endpoints service is not shown as Running.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 262 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

27. Select the Cisco AMP for Endpoints service and click the Start button (green triangle) at the top of the screen.

28. It will now state that the Service is Running.

29. Close the Services console.

30. Close and AMP for Endpoints user interface.

31. You have verified the Connector Protection functionality for the service. Now you will proceed with the uninstall.

32. Click the Start button in the lower left corner of the screen on the WKST2 machine.

33. Click the Settings icon (gear).

34. When the Windows Settings window appears, click the System icon.

35. Click the Apps & Features icon.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 263 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

36. Select the Cisco AMP for Endpoints Connector entry and click the Uninstall button.

37. Click the Uninstall button.

38. If prompted by User Account Control, click the Yes button.

39. When the uninstall window appears click the Next button.

40. You are now prompted for the Uninstall password. Enter the value C1sco12345 that you configured in the policy earlier
and click the Uninstall button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 264 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

41. The uninstall has completed successfully. Click the Close button.

42. Click the No button.

43. When prompted to reboot, click the Yes button.

44. The WKST2 machine will reboot and the Remote Desktop connection will close, returning you to the Jumphost machine.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 265 of 325
 Cisco dCloud

You have successfully gone through the uninstallation process on a Windows connector with connector protection as well
as a connector without connector protection. You will now perform an uninstall on a Linux connector.

dCloud: The Cisco Demo Cloud

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 266 of 325
 Cisco dCloud

Linux Uninstall
1. You will now connect to the Centos Linux server to perform an uninstallation. dCloud: The Cisco Demo Cloud

2. Open the PuTTY application on the Jumphost by double clicking on the shortcut located on the desktop.

3. The Putty screen will now appear

4. Enter the following values and click the Open button to connect to the Linux server

a. Host name: 198.18.134.50

b. Port: 22

c. Connection type: SSH

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 267 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. When prompted for the user name and password, use the following values

a. Login as: root

b. Password: C1sco12345

6. To uninstall the AMP for Endpoints Connector, run the command: sudo yum remove ciscoampconnector -y

7. You should receive a message stating the removal is complete. Notice that the removal does leave some files behind and
the command to remove the leftover data is given on the screen.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 268 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. Run the following command to remove all connector data: /opt/cisco/amp/bin/purge_amp_local_data

9. Close the SSH window and return to the AMP for Endpoints Console.

You have successfully uninstalled the Linux connector. You will now proceed in the labs to go through the connector upgrade
process.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 269 of 325
 Cisco dCloud

Scenario 17. Upgrades

Cisco will release new connector software versions on a regular basis as new features are developed or when issues are
discovered that require patches to be created. You will now go through the process of upgrading connectors fromThe
dCloud: theCisco
AMP for Cloud
Demo
Endpoints console as well as from a command line that can be used by customer software deployment solutions (SCCM, BigFix,
etc.).

Upgrades can be enabled at a policy level in the console. This will cause all machines attached to that policy to begin the upgrade
process. Upgrades can also be initiated from the customer environment using a software deployment solution such as Microsoft
SCCM or IBM BigFix using a silent command line. A software deployment solution can give customers more control over which
computers receive the upgrade during certain time schedules and control reboot behavior.

In the lab you will configure the default connector version. This step is required to install an older version connector in order to be
able to upgrade. In a customer environment, changing the default connector version to an older version is not a normal step but
can be useful for troubleshooting if it is believed that there is a compatibility issue with a specific new connector version.
Additionally, if a customer has standardized on a specific connector version and Cisco releases a new connector version, setting
the default version can allow the customer to continue their deployment on the version they have already approved and
standardized.

Note: Please only make the specified changes in this section exactly as directed. Making changes that are not explicitly defined
in the lab document can render the lab unusable. Please follow the instructions explicitly in this section.

Lab Configuration for Upgrade

Changes must be made to the console configuration to allow you to download an older version in order to perform an upgrade.
Over time in a production deployment there would be machines that would need upgrades on their own as new versions were
released by Cisco.

1. Ensure you are logged in to the AMP for Endpoints console on the Jumphost machine.

2. Click the Accounts menu and select the Business menu item.

3. The Business settings page appears. Notice that there is a section for Default Product Versions and the current setting
is Latest.

4. Click the Edit button in the upper right-hand corner of the page.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 270 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Locate the Windows section on the page.

6. Click the drop-down menu for the Default Connector Version and change the value to 6.0.9.10685 (Or another version
that is older than the most recent version listed. You must select a version lower than the highest version listed in the
menu or you will not be able to upgrade).

7. Click the Update button after changing the Default Connector Version.

8. Verify that the Default Product Versions section has updated to the value you selected.

9. You will now install the older connector version on WKST3 and WKST2 in order to be able to go through the upgrade
process within this lab.

10. Click the Management menu and select the Download Connector menu item.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 271 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

11. Click the drop-down menu for Group and select the ABC - Windows Compliance Protect group.

12. Click the Show URL button in the Windows section of the page.

13. Click the Copy URL button.

14. You will now connect to the WKST2 machine to download and install the older version connector.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 272 of 325
 Cisco dCloud

15. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst2
computer.

dCloud: The Cisco Demo Cloud

16. You should automatically be logged onto the Wkst2 machine. You can verify that you are logged into the Wkst2 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

17. Open the Chrome web browser by double-clicking the shortcut on the desktop of the Wkst2 machine.

18. Paste the Connector Download URL copied from the AMP for Endpoints Console in the previously in the address bar of
the browser and press the Enter key.

19. The setup file will begin to download. Once the file has downloaded you should see it appear in the lower left corner of the
Chrome browser.

20. Click on the downloaded file ABC_-_Windows_Compliance_Protect_FireAMPSetup.exe in the lower left of the
browser to launch the setup process.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 273 of 325
 Cisco dCloud

21. Complete the installation process for the older version connector.

22. Once the setup has completed, close the Remote Desktop connection to WKST2.
dCloud: The Cisco Demo Cloud
23. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst3
computer.

24. You should automatically be logged onto the Wkst3 machine. You can verify that you are logged into the Wkst3 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

25. Open the Chrome web browser by double-clicking the shortcut on the desktop of the WKST3 machine.

26. Paste the Connector Download URL copied from the AMP for Endpoints Console in the previously in the address bar of
the browser and hit the Enter key.

27. The setup file will begin to download. Once the file has downloaded you should see it appear in the lower left corner of the
Chrome browser.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 274 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

28. Click on the downloaded file ABC_-_Windows_Compliance_Protect_FireAMPSetup.exe in the lower left of the
browser to launch the setup process.

29. Complete the installation process for the older version connector.

30. Close the Remote Desktop Connection to the WKST3 machine.

31. Return to the AMP for Endpoints console on the Jumphost machine.

32. Click Management > Computers

33. Verify that the WKST2 and WKST3 machines appear in the list. Expand each entry and note the Connector Version of
each.

a. Please note, due to how we are rapidly moving through the lab at this point, you may see some entries for
uninstalled computers that have not yet been flushed from the system. This is ok.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 275 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

34. You will now change the configuration of the console to choose the latest version of the connector in the Business
settings page so that you will be able to download the newer connector to perform an automated upgrade.

35. Click the Accounts menu and select the Business menu item.

36. Click the Edit button in the upper right-hand corner of the Business screen.

37. Locate the Windows section on the page.

38. Click the drop-down menu for the Default Connector Version and change the value to Latest.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 276 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

39. Click the Update button after changing the Default Connector Version.

40. Verify that the Default Product Versions section has updated to Latest.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 277 of 325
 Cisco dCloud

Automated Local Connector Upgrade

You will now test the automated silent upgrade process on a system with an older connector installed. One you have a
working silent command line, the process can be turned over to your customer’s software deployment dCloud: Thepackaging
team for Cisco Demo Cloud
and
roll out.

1. You will now download the latest connector version onto the WKST2 machine. Do not launch the setup file when it is
finished downloading. Wait until instructed to do so in the lab.

2. Click the Management menu and select the Download Connector menu item.

3. Click the drop-down menu for Group and select the ABC - Windows Compliance Protect group.

4. Click the Show URL button.

5. Click the Copy URL button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 278 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. You will now connect to the WKST2 machine and download the newer connector version.

7. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst2
computer.

8. You should automatically be logged onto the Wkst2 machine. You can verify that you are logged into the Wkst2 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

9. Close any open windows on WKST2.

10. Open File Explorer and navigate to the Downloads folder.

11. Delete all files in the Downloads folder on WKST2.

12. Open the Chrome web browser by double-clicking the shortcut on the desktop of the Wkst2 machine.

13. Paste the Connector Download URL copied from the AMP for Endpoints Console in the previously in the address bar of
the browser and press the Enter key.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 279 of 325
 Cisco dCloud

14. The setup file will begin to download. Once the file has downloaded you should see it appear in the lower left corner of the
Chrome browser. Do NOT launch the file at this time.

dCloud: The Cisco Demo Cloud

15. Open an administrative command prompt window by Right-Clicking the Start button and selecting the Command
Prompt (Admin) menu item. Click Yes.

16. Type the command cd \Users\admin\Downloads and press Enter.

17. Type the command ABC_-_Windows_Compliance_Protect_FireAMPSetup.exe /S and press Enter.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 280 of 325
 Cisco dCloud

18. Wait until the command prompt has finished running the previous command. There will be no visual indicators of the
success or failure.

a. You can choose to review the installation log located at “C:\ProgramData\Cisco\AMP\immpro_install.log” andCloud
dCloud: The Cisco Demo

view the status of the Cisco AMP for Endpoints Connector service in the Services console. We will check the
Services Console.

i. Right-Click the Start button and select Run

ii. Type services.msc and click OK

iii. Locate Cisco AMP for Endpoints in the Services list (it will not be running). You may continue once this
entry is in the list

19. Return to the command Prompt to Reboot the WKST2 machine by typing the command shutdown /r /f and pressing
Enter.

20. The WKST2 machine reboots.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 281 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

21. It may take several minutes for the machine to restart.

22. Wait until the WKST2 machine has rebooted and then reconnect via Remote Desktop. If you are unable to connect to the
machine after the reboot, please allow additional time and then try again.

23. Open the AMP for Endpoints user interface on the WKST2 machine and click on the About link on the main screen.
Notice that the version is now updated.

24. Close the Remote Desktop connection to WKST2.

25. Ensure you are logged into the AMP for Endpoints console on the Jumphost machine.

26. Click the Management menu and select the Computers menu item.

27. Click the plus symbol on the entry for the WKST2 computer to expand its section. Notice the Connector Version has
updated.

28. Click the Events link.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 282 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

You have successfully upgraded the connector software by using a silent command line. This process can be turned over to
the customer software distribution team to roll out through a solution such as Microsoft SCCM or IBM BigFix. The process is
very similar to the initial silent install of the connector.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 283 of 325
 Cisco dCloud

Console Connector Upgrade

You will now perform an upgrade of a connector through the AMP for Endpoints console. This may be dCloud:
usefulThe
for Cisco
certain
Demo Cloud
machines that are outside your customer’s corporate network or are not managed through their software deployment
solutions.

1. Click the Management menu and select the Policies menu item.

2. Click the plus symbol to expand the entry for the ABC - Windows Endpoint Protect policy.

3. Click the Edit button.

4. The policy settings appear. Click the Product Updates link.

5. The Product Updates page appears with the default settings.

6. On the Product Updates page, configure the following settings:

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 284 of 325
 Cisco dCloud

a. Product Version: (Choose the highest version available in your console at the time of the lab)

b. Date Range:
dCloud: The Cisco Demo Cloud
i. Choose the current date of the lab machine for the start date

ii. Choose the following calendar day as the end date. (please keep in mind the lab machine is on
UTC time zone)

c. Update Interval: 30 minutes

d. Reboot: Force reboot after

e. Reboot delay: 2 minutes

7. Click the Details button that shows more information on the computers that need reboots. It shows the version and
number of machines that require reboots with a link to view the specific computers if desired. Click OK.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 285 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

8. Be sure to return to the Policy edit page if you navigated away while reviewing the reboot Details.

9. Click the Save button.

18. On the desktop of the Jumphost machine, double-click on the Remote Desktop Connection shortcut for the Wkst3
computer.

19. You should automatically be logged onto the Wkst3 machine. You can verify that you are logged into the Wkst3 machine
by looking at the top of the screen for the Remote Desktop Connection bar and the background of the desktop will show
the name of the machine currently logged into as shown below.

10. The connector will automatically perform its upgrade from the console over time. However, we will force the connector to
check in with the update server now to force the communication to happen.

11. Click the notification area arrow in the bottom right of the screen next to the time/date to display the system tray icons.

12. Double-click on the Cisco AMP for Endpoints icon that looks like a blue circle with white lines on it.

13. The Cisco AMP for Endpoints connector UI appears. Click the about link. Notice the agent version is the older version
you installed earlier.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 286 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

14. Click the Settings button.

15. The Settings page appears. Click the Sync Policy button.

16. You are notified that the policy has been successfully updated. Click the OK button and close the settings menu.

17. The upgrade will begin in the background shortly (If it doesn’t seem to proceed, force a second Sync). Once the upgrade
is completed, you will receive the notification that the machine will be restarted

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 287 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

18. Return to the AMP for Endpoints console on the Jumphost machine.

19. Click the Analysis menu and select the Events menu item.

20. Monitor the events coming in from the WKST3 machine. It may take a little time for these events to display. Be patient, or
review the images below, and continue with the lab. Notice the upgrade process starts with the “started and product
update” event and ends with the “completed a product update” event.

21. You may need to wait several minutes for the “completed a product update” event to appear. You can verify locally on the
WKST3 machine if desired and proceed with the lab without waiting on the event.

You have successfully upgraded connectors through the AMP for Endpoints console as well as through a silent automated setup
process. Both of these methods have their advantages and disadvantages. Silent installs executed by a customer solution can give
more control and granularity to deployment but may require involvement by many other resources at the customer and take a long
time to test and actually deploy due to non-technical issues. Console based upgrades do not offer much granularity (targets all
machines inside a policy) and can potentially cause production outages if reboots are not disabled, but it allows you to manage the
upgrade with no other prerequisites other than Internet connectivity. Work with your customer to discuss which strategy will work
best for the current situation and if there may be instances where both options can be helpful.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 288 of 325
 Cisco dCloud

Scenario 18. Operations

You will now ensure that you are familiar with the Operations features the AMP for Endpoints console has included that are related
to implementation tasks. You will create event filters that will allow you to easily view different categories ofdCloud:
events The Cisco
and Demo
also Cloud
enable
email notifications on important events through subscriptions (you will not be able to actually receive emails in the dCloud lab, so
no actual subscriptions will be created but you will review the process). You will review the Audit log to ensure you can determine
which administrators are making changes, and if an administrative change in the console is potentially related to an issue. You will
also review where the automated weekly report data in the console is located.

Alerts and Notifications

In order to ensure that you are aware of any incidents that could affect the implementation, you have decided to configure the
console to notify you of certain high priority events during the deployment. You will utilize events and filters to subscribe to
appropriate events so that you will be notified by the console via email. Saved filters can also be used to quickly look at events for
different groups of machines or certain types of events without having to configure the event filter every time you wish to see the
events

1. Ensure that you are logged into the AMP for Endpoints console on the Jumphost machine.

2. Click the Analysis menu and select the Events menu item.

3. The events dashboard opens with no filters being applied, showing all events from all connectors.

4. You will create a filter to show only events from the servers in the deployment.

5. In the Group field, click the plus symbol, and select each of the following groups to add them to the group filter:

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 289 of 325
 Cisco dCloud

a. ABC - Windows Server Audit

b. ABC - Windows Server Protect

dCloud: The Cisco Demo Cloud
c. ABC - Linux Server Audit

d. ABC - Linux Server Protect

6. Click the Save Filter As button.

7. On the Save Filter window, type Server Events in the Name field, and click the Save button.

8. The filter is saved and appears in the filter drop-down in the top right corner.

9. Click the Not Subscribed button.

10. Notice the options that would allow you to receive email notifications through a subscription. Do NOT click any of the
options and actually create a subscription. Due to the lab architecture in dCloud, there is no way for you to receive any of
the email notifications that would result from the subscription.

11. Click the Reset button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 290 of 325
 Cisco dCloud

12. Begin to create a new event filter by clicking the plus symbol in the Group field. dCloud: The Cisco Demo Cloud

13. Add the following groups to the filter:

a. ABC - Windows Compliance Audit

b. ABC - Windows Compliance Protect

c. ABC - Windows Endpoints Audit

d. ABC - Windows Endpoints Protect

14. Click the Save Filter As button.

15. On the Save Filter window, type Workstation Events in the Name field, and click the Save button.

16. The filter is saved and appears in the filter drop-down in the top right corner.

17. Click the Reset button.

18. You will now create an event filter to show only events related to connector health.

19. Click the plus symbol on the Event Type field that currently says All Event Types.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 291 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

20. Add the following event types into the Event Type filter (You can scroll, or start to type the Event Name to find it):

a. Product Update Failed

b. Install Failure

c. Uninstall

d. Critical Fault Raised

21. Click the Save Filter As button.

22. On the Save Filter window, type Connector Health Events in the Name field, and click the Save button.

23. The filter is saved and appears in the filter drop-down in the top right corner.

24. Click the Reset button.

25. You will now create an event filter to show only events related to a general malware detection.

26. Click the plus symbol on the Event Type field that currently says All Event Types.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 292 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

27. Add the following event types into the Event Type filter:

a. Threat Detected

b. Execution Blocked

c. Exploit Prevention

d. Threat Quarantined

Note: These are just sample event types. There are many different and more specific types of events related to malware in the
console. Select the events that are relevant to your deployment in a production environment.

28. Click the Save Filter As button.

29. On the Save Filter window, type Malware Threats in the Name field, and click the Save button.

30. The filter is saved and appears in the filter drop-down in the top right corner.

Note: Event filters are a way to easily view relevant data in a deployment without having to constantly make filter changes.
Judicious use of Subscriptions to get email alerts can be beneficial for alerting purposes as well.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 293 of 325
 Cisco dCloud

Audit Log
It can be important to determine whether or not an administrative change was made at certain times duringdCloud:
a deployment.
The Cisco Demo Cloud

1. Click the Accounts menu and select the Audit Log menu item.

2. The Audit log displays with various filter options.

Note: You have the ability to show only changes initiated by a specific user account or connections coming from a specific IP or
CIDR range.

3. You will now change the Audit Log filters to show events related to a Policy configuration changes.

4. Click the Type drop-down menu and select the Policy event type.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 294 of 325
 Cisco dCloud

5. Click the Apply Filters button.

dCloud: The Cisco Demo Cloud

6. For individual events displayed, once expanded, all changes to policy configuration are shown along with the user
account that made the change, the IP address the user connected to the AMP for Endpoints console with, as well as the
specific values that were changed.

7. Briefly review the other event types that can be filtered in the Audit log and proceed with the lab.

Note: It may be necessary to investigate whether a change was made to a whitelist or a blocklist if a required file or network
address suddenly starts being blocked in a customer environment. Sudden unanticipated changes in behavior should be
investigated to see if an administrative change is involved.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 295 of 325
 Cisco dCloud

Reporting
There are prebuilt weekly reports in the AMP for Endpoints console that you can choose to receive via email or access on demand
dCloud: The Cisco Demo Cloud
once they are generated. There are no options for editing the reports and they auto-generate for the previous Monday through
Sunday period. You will now review the data shown in the reports.

Note: You will not be enabling the email option for the weekly reports as email access for the user account you are using to
complete the labs is not available. Please do not enable the option to generate report emails. If you see the option enabled, please
disable it. Depending on the timing of the labs, you may not see data in the report simply due to the environment not being online
long enough.

1. Click the Analysis menu and select the Reports menu item.

2. The Reports page displays with a list of available reports to view.

3. Click on the most recent report entry.

4. The contents of the report appear (similar to below)

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 296 of 325
 Cisco dCloud

5. Review the data in the report. Ensure that you DO NOT enable email notifications for any of the reports due to the lab
architecture.

You have become familiar with the options in the console for email alerts, event filtering, audit logging, anddCloud:
the built-in weekly
The Cisco Demo Cloud

reports. Utilizing these options effectively in your deployments can help you determine root cause of issues in a timelier manner
and become aware of potential issues early on.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 297 of 325
 Cisco dCloud

Scenario 19. API

The AMP for Endpoints API can be a great way to integrate AMP data and functions into other solutions. In this lab, we will
dCloud:aThe
illustrate how to configure and access the API to retrieve data from the AMP for Endpoints API as well as make Cisco Demo Cloud
substantial
change to AMP for Endpoints configuration.

Generating API Credentials

Prior to using the AMP for Endpoints API, you must generate the necessary credentials required for API Access.

1. Ensure that you are logged into the AMP for Endpoints console on the Jumphost machine.

2. Click the Accounts menu and select the API Credentials menu item.

3. Click the New API Credential button.

4. In the New API Credential window, enter the following values:

a. Application name: ABC API

b. Scope: Read & Write

c. Enable Command Line: Checked

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 298 of 325
 Cisco dCloud

5. Click the Create button.

6. The API credentials are generated. This is the only screen that will show the credentials. You will not be able to view
them again after leaving this screen. Leave this screen open, and do not navigate away from heredCloud:
withinThe
theCisco
console
Demo until
Cloud

instructed.

a. If you lose these values, you will have to repeat this potion of the API lab to generate new credentials.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 299 of 325
 Cisco dCloud

Configuring the Postman Environment for API Access

For the purposes of this lab scenario, we are going to assume that most participants are not full-time developers, and that in many
dCloud: The Cisco Demo Cloud
cases, our students may have very limited or even no experience in programming. In order to illustrate the capabilities of the API
without requiring specific programming knowledge, we will show you how to use a tool to access the API. We will now prepare our
tool, the Postman application, to access AMP for Endpoints using your generated API credentials.

1. Open the Postman application on the Jumphost machine by double-clicking on the Postman shortcut on the desktop.

2. When the Postman application opens, click Environment.

3. Do NOT update the Postman application if prompted.

4. We will now create a new Environment within Postman. This will allow us to easily access various API features later in the
lab.

5. Set the Environment Name as ABC AMP4E

6. Click in the Key column where it says New Key

7. Type ID

8. Open the AMP for Endpoints console (It should still be on the API Credentials page).

9. With your mouse, highlight the 3rd Party API Client ID value, and right-click Copy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 300 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. Return to the Postman application.

11. Click in the Value field associated with our ID key.

12. Press CTRL-v to paste our 3rd Party API Client ID here

13. Click on the New Key field just below our ID entry and type KEY

14. Open the AMP for Endpoints console (It should still be on the API Credentials page).

15. With your mouse, highlight the API Key value, and right-click Copy.

16. Return to the Postman application.

17. Click in the Value field associated with our KEY.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 301 of 325
 Cisco dCloud

18. Press CTRL-v to paste our API Key here.

dCloud: The Cisco Demo Cloud

19. Once you have completed adding both your ID and KEY entries, click the Add button.

20. You should now see your Environment added to Postman.

21. Close the Manage Environments window by clicking the X button on the top right of the window.

22. Select the new ABC AMP4E Environment from the drop-down in the upper right corner of the application.

23. Once the environment is selected, you can continue with the lab.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 302 of 325
 Cisco dCloud

Accessing the AMP for Endpoints API via GET Requests

We are now ready to access AMP for Endpoints data via the API. We will use Postman for this process. dCloud: The Cisco Demo Cloud

1. Ensure you are in the Postman application with the ABC AMP4E environment selected.

2. You should see a New Tab with GET selected below it.

3. Click in the Enter request URL field:

a. Type the following: https://{{

b. At this point, you will receive a popup that allows you to select the Keys we defined within the currently selected
AMP4E Environment. Select ID by clicking on it in the popup window.

c. The GET request will complete your ‘variable’ selection as {{ID}} in the text field

d. Your cursor should be at the end of the line, continue by typing :{{ (Do not forget the colon)

e. Select KEY from the popup to autocomplete that variable selection in the text field and your cursor should be at
the end of the line.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 303 of 325
 Cisco dCloud

f. Add the following to complete the GET request URL:

i. @api.amp.cisco.com/v1/computers
dCloud: The Cisco Demo Cloud
ii. We are using AMP for Endpoint accounts in the North America AMP Cloud for this lab. For production
installations elsewhere in the world, you may need to enter a different DNS name for API access.

4. Once the GET request looks like the above image, click the Send button.

5. Once completed, you will see the returned results at the bottom of the Postman application.

a. Scroll through the results. Notice that each Computer returned illustrates several pieces of information including:
Connector_guid, hostname, links to various AMP Console locations for this computer, internal/external IP, OS,
Policy, etc.

6. Let’s save this GET request in Postman so we can use it later if needed.

a. Click the Save button

b. Change the Request name to 1) AMP4E Computers

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 304 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

c. Click + Create Collection, then enter AMP4E Collection in the Name your collection text field

d. Click the Check Mark at the end of the new collection row

e. Click the Save to AMP4E Collection button

7. You are now presented with the AMP4E Collection. Notice the GET requested within the collection. Click the X in the
upper right corner of the collection to close the pop-over window.

8. We can now make another GET request. This time, we will get AMP Groups via the API.

a. Highlight the GET URL from the previous request then right-click and select Copy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 305 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

b. Open a new Tab in Postman by clicking the + symbol next to the current tab

c. Click in the Enter request URL field and press CTRL-v to paste the previous URL into this text field. Modify
this URL by removing computers and replacing it with groups.

d. Click Send

e. Scroll through the returned response data. You should see our Groups and related values which includes the
group’s assigned guid.

f. Click the Save button.

g. Change the Request name to 2) AMP4E Groups

h. Click on the AMP4E Collection at the bottom of the form.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 306 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

i. Click the Save to AMP4E Collection button

9. Let’s review the current AMP4E Collection

a. Click the AMP4E Collection on the left side of the Postman window and it will expand to show you the 2 GET
requests that we have saved.

10. We have validated our API is functional. We are ready to move onto a more complex example of what the API can
accomplish.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 307 of 325
 Cisco dCloud

Using the AMP for Endpoints API to Change a Host Group Assignment
Our customer has informed us that the WKST2 system is no longer a Compliance system. We want to usedCloud:
the API to process the
The Cisco Demo Cloud
group assignment change within the console.

1. Open the AMP for Endpoints Console and navigate to Management > Groups

2. Click the entry for ABC - Windows Compliance Protect, then notice it has direct members listed (minimally wkst2
should be listed here).

3. Click on the wkst2 link under direct member

4. Expand the wkst2 computer. Copy the Connector GUID value from the form by highlighting the value, right-clicking
the value, and selecting Copy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 308 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Return to the Postman application.

6. In the Collection on the left, click on the 1) AMP4E Computers GET Request in our collection

7. This will bring you to the correct GET Request in Postman.

8. Go to the GET Request URL field and add a forward slash (/) then press CTRL-v to paste the connector guid we just
copied at the end of the line. (Your value will be different than what is displayed below)

9. Click Send to process this new API GET Request.

10. You will notice that the results of this request are specific to our requested Connector and includes a great deal more
detail about that particular system. Scroll through the data returned.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 309 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

11. If you get an error, ensure there is not a space character anywhere in the GET field.

12. Let’s save this to our collection by clicking the drop-down button next to Save (Do Not click Save directly as it will
overwrite our previous GET request.) This will allow you to Click Save As

13. Save the request as 3) AMP4E Specific Computer, Select the AMP4E Collection, then click the Save to AMP4E
Collection button.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 310 of 325
 Cisco dCloud

14. We now need to locate the Group GUID for the group we want to move the wkst2 system into. We will use a previous API
request from our collection to obtain that information.

15. In the Collection on the left, click on the 2) AMP4E Groups GET Request in our collection. dCloud: The Cisco Demo Cloud

16. Click Send to refresh the results.

17. When the results load, scroll through the information returned to locate the ABC - Windows Endpoints Protect group

18. Highlight the associated guid value and right-click to select Copy

19. Select the 3) AMP4E Specific Computer request from our collection by clicking on the entry. This will bring you to the
correct tab within Postman.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 311 of 325
 Cisco dCloud

20. Click the GET button and change it to PATCH

dCloud: The Cisco Demo Cloud

21. Click in the URL field and add the following to the end of the line: ?group_guid=

22. Paste the group GUID we copied earlier to the end of the line by pressing CTRL-v. (Your URL will vary based on your
own values.)

23. Click Send

24. Your results should return without an error.

25. Return to your AMP for Endpoints console and Select Management > Computers

26. Expand the entry for wkst2 and note the current Group Assignment has changed as expected based on our API PATCH
request.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 312 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

27. Navigate to Accounts > API Credentials

28. Expand the ABC API credential and notice the data displayed. The Client ID is available, but the API Key is not
displayed. If you had lost this API Key value, you would need to configure a new API Credential.

29. Click View API Documentation

30. The documentation will open in a new tab. Click v1. Browse the Resources section to see what API calls are currently
available to AMP for Endpoints API integrations.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 313 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

You have completed the API lab and now have a better understanding of the capabilities of the existing API.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 314 of 325
 Cisco dCloud

Advanced API Usage with Postman

While the ability to use the API to change group assignment was proven in the previous lab, we would like dCloud:
to automate that a bit
The Cisco Demo Cloud
more if possible.

1. Return to the Postman Application

2. We will now save the modified API request 3) AMP4E Specific Computer that includes our change to “PATCH” as well as
the extended URL requests.

a. Ensure your request is set to PATCH

b. Ensure your API URL includes both the specific connector guid as well as the ?group_guid= portion of the entry
from our previous steps

c. Once ready, click Save to overwrite the 3)… entry in our Postman Collection

3. Click on the API request = 1) AMP4E Computers

4. Modify the GET url by adding ?hostname[]=wkst2

a. NOTE: The various options you can pass between API calls is listed in the API documentation.

5. Click Send

6. You have returned data about only that hostname.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 315 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

7. Notice the “connector_guid” value. We will now try to pull that data specifically from the response information

8. Scroll back up just below the GET url request and select the Tests option

9. Type the following 2 lines in the Tests entry window as displayed in the following image:

10. Let’s save this as 4) AMP4E WKST2

a. Click the dropdown NEXT TO SAVE so we can save this as a new entry rather than overwriting

b. Save this as displayed in the following image being sure to change the Request Name to “4) AMP4E WKST2” as
well as selecting the AMP4E Collection.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 316 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

11. Now we need to create a new update API call to make use of the stored variable

12. Click 3) AMP4E Specific Computer then highlight the guid value in the url just after /computer/

13. With the text highlighted, type {{CONNECTOR_GUID_VAR}}. We are replacing the previous guid value with a variable
entry.

a. This value will be created for us by the previous code entered in the “Tests” section of the 3)… request

14. Using SAVE AS, save this as 5) AMP4E Update WKST2 Group being sure to add it to the AMP4E Collection

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 317 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

15. Before running the above API Calls, let’s move the computer back to the ABC – Windows Endpoint Audit group.

a. In the AMP Console, navigate to Management > Computers

b. Expand wkst2

c. Click Move to Group and select ABC – Windows Endpoint Audit

d. Click Move

16. Return to Postman

17. Select 4) AMP4E WKST2 and click the Send button

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 318 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

18. Click the eye icon, near the ABC AMP4E Environment

19. Notice the CONNECTOR_GUID_VAR has been dynamically set as a result of this recent API call

20. Now click 5) AMP4E Update WKST2 Group and Press Send

21. Return to the AMP Console

22. Navigate to Management > Computers (and refresh the page)

23. You should see the group change has occurred

24. Before we proceed, expand WKST2, click Move to Group, and set the group to ABC – Windows Endpoint Audit.

25. We can even further automate this process running this collection in Postman using Collection Runner. We will do that
next.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 319 of 325
 Cisco dCloud

Advanced API Processing with Postman

Postman has many additional advanced features. Here we will show you how to automate the string ofdCloud:
entries we have
The Cisco Demo Cloud
compiled within our AMP4E Collection using Collection Runner.

1. Return to Postman

2. Let’s update Postman before continuing

3. In Postman, from the main application bar, select Help > Check for Updates then press the Update button

4. Press Restart and Install Updates

5. When postman restarts, close the pop-over window with the X in the upper right-hand corner.

6. Set ABC AMP4E as the current environment in the top right corner of the screen.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 320 of 325
 Cisco dCloud

7. On the AMP4E Collection, click the right pointing Triangle image

dCloud: The Cisco Demo Cloud

8. Click Run.

9. Set the form data on the left to be as displayed in the following image

a. Set the Environment as ABC AMP4E

b. Enter a 1000 ms delay

c. Check Keep Variable Values

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 321 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

10. Click Run AMP4E Collection

11. You should see each entry in the collection run in order automatically.

12. Return to the AMP4E Console

13. Navigate to Management > Computers

14. You should see that by chaining the collection together as a single run job, the WKST2 computer has changed group
assignment to the Protect policy.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 322 of 325
 Cisco dCloud

Exporting Postman Code for Execution

Postman also has the ability to export its configuration to various scripting languages. Let’s try that here.
dCloud: The Cisco Demo Cloud

1. Close Collection Runner and Return to Postman

2. Click 1) AMP4E Computers within your collection.

3. Click the Code link off to the right of the page.

4. This will open a Generate Code Snippets window. Click HTTP and select Shell > cURL

5. You should now see the code for this Collection Entry translated into a curl command. Click Copy to Clipboard.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 323 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Close the Snippet Window.

7. On the Jumphost desktop, open the Putty.exe link

8. Enter 198.18.134.50 in the Host Name (or IP address) field and click Open

9. Login as root with a password of C1sco12345

10. Maximize the Putty window

11. Right-click in the Putty widow. This will paste the cURL command from your clipboard.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 324 of 325
 Cisco dCloud

dCloud: The Cisco Demo Cloud

12. Press the Enter key to execute the command

13. Note the results! The API curl request we exported has retrieved data to our Linux workstation.

As you can see, with tools such as Postman available to you, and a little experience, you can one day leverage APIs to their fullest
capacity.

Lab Completion
Congratulations! You have now completed all scenarios in the AMP for Endpoint FE Training lab content.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 325 of 325