Configure a Simple Custom Detection List on the AMP for Endpoints Portal

Available Languages

Download Options

  • PDF     (260.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (274.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (396.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 6, 2019
Document ID:215176

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the steps to create a Simple Custom Detection list to detect, block and quarantine specific files to prevent the files to be allowed on devices that have installed the Advanced Malware Protection (AMP) for Endpoints connectors.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Access to the AMP portal
    • Account with administrator privileges
    • File size no more than 20 MB

    Components Used

    The information in this document is based on Cisco AMP for Endpoints console version 5.4.20190709.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Workflow

    The Simple Custom Detection list option uses this workflow:

    • The Simple Custom Detection list created from the AMP portal.
    • A Simple Custom Detection list applied in a Policy previously created.
    • The AMP Connector installed on the device and applied in the Policy.

    Configuration

    In order to create a Simple Custom Detection list, follow these steps:

    Step 1. On the AMP Portal, navigate to Outbreak Control > Simple option, as shown in the image.

    Step 2. On the Custom Detections – Simple option, click Create button to add a new list, choose a name to identify the Simple Custom Detection list and save it, as shown in the image.

    Step 3. Once the list is created, click on the Edit button to add the list of the files you want to block, as shown in the image.

    Step 4. On the Add SHA-256 option, paste the SHA-256 code previously collected from the specific file you want to block, as shown in the image.

    Step 5. On the Upload File option, browse for the specific file that you want to block, once the file is uploaded, the SHA-256 of this file is added into the list, as shown in the image.

    Step 6. The Upload Set of SHA-256s option allows to add a file with a list of multiple SHA-256 codes previously acquired, as shown in the images.

    Step 7. Once the Simple Custom Detection list is generated, navigate to Management > Policies and choose the policy where you want to apply the list previously created, as shown in the images.

    Step 8. Click on the Edit button and navigate to Outbreak Control > Custom Detections – Simple,  select the list previously generated on the drop-down menu and save the changes, as shown in the image.

    Once all steps are performed, and the connectors are synchronized to the last policy changes, the Simple Custom Detection takes effect.

    Verify

    There is currently no verification procedure available for this configuration.

    Troubleshoot

    There is currently no specific troubleshooting information available for this configuration.

    Warning: If a file is added to a Simple Custom Detection list, the cache time must expire before the detection takes effect.

    Note: When you add a Simple Custom Detection, it is subject to be cached. The length of time a file is cached depends on its disposition, as shown in this list:
    • Clean files: 7 days
    • Unknown files: 1 hour
    • Malicious files: 1 hour

    TAC Authored

    Contributed by Cisco Engineers

    • Yeraldin Sanchez

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products