Page Content

Tutorials

Load more

Cisco Advanced Malware Protection uses what technology?

CCNA
Agarapu Naveen
Author: Agarapu Naveen
3 min.read

Cisco Advanced Malware Protection AMP

Cisco Secure Endpoint, formerly known as Cisco Advanced Malware Protection (AMP), is an enterprise-class security solution that is intended to stop, identify, and eliminate sophisticated threats. Even after files have entered the environment, AMP offers ongoing file monitoring and analysis, in contrast to standard antivirus software, which usually depends on point-in-time scanning upon the network’s entry.

The Threat Continuum: Before, During, and After

The way AMP is set up, threats are addressed during the whole attack lifecycle:

  1. Before (Prevention): It employs Cisco Talos’ worldwide threat intelligence to instantly stop ransomware, file-less attacks, and known malware. During this phase, threats are stopped at the point of entry by machine learning, exploit prevention, and “one-to-one” signature matching.
  2. During (Detection): AMP uses sandboxing (via Cisco Secure Malware Analytics, formerly Threat Grid) to run and monitor unfamiliar files in a secure, isolated environment with no known signature.
  3. After (Response): This phase is all on Retrospective Security. The activity of each file is nevertheless monitored and recorded by AMP. AMP notifies administrators, displays the complete file history, and facilitates quick containment if a file that was assumed to be “clean” at first turns out to be harmful.

You can also read SDN Controller Functions And How SDN Controller Works

Key Concepts and Technical Features

Cisco AMP uses a number of fundamental processes to assess files:

  • File Disposition: The AMP cloud classifies each file as either cleaner (known to be good), malicious (known to be bad), or unknown (insufficient data).
  • Retrospective: The AMP cloud creates alerts to inform administrators that a previously downloaded file is now deemed hazardous if it learns something new that alters a file’s disposition.
  • Trajectories: The impact of a threat is visually represented by AMP. Whereas Device Trajectory offers a chronological record of all file and process operations on a particular system, File Trajectory charts the movement of a file over the network.
  • Global Intelligence (Cisco Talos): Talos, one of the biggest commercial threat intelligence teams in the world, provides AMP with fresh threat intelligence by analyzing millions of malware samples every day.

Deployment Options

A service that requires a subscription, Cisco AMP can be implemented with different control points:

  1. AMP for Endpoints: Protects workstations, laptops, servers, and mobile devices (iOS, Android, Linux, Mac, and Windows) with AMP for Endpoints.
  2. AMP for Networks: Cisco Firepower NGIPS, ISR branch routers, and Meraki MX Security Appliances all have AMP for Networks integrated into them to examine network traffic.
  3. AMP for Email and Web: With AMP for Email and Web, Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) are enhanced with malware defense layers.
  4. Private Cloud Appliance: A private cloud appliance is an on-premises solution for air-gapped environments that are unable to obtain threat intelligence from the public cloud.

You can also read What is Application server and How Application Server Works

Operational Workflow (SD-WAN/Network Example)

The AMP procedure is carried out as follows when enabled on an edge device, like a WAN router:

  • A Snort file pre-processor receives a file download that the router has intercepted.
  • The file’s SHA256 hash is calculated by the engine, which also verifies a local cache.
  • The AMP Cloud receives the hash for a reputation score if it is not in the local cache.
  • The file is stopped from downloading if the cloud indicates that it is malicious. An unknown file may be “detonated” and given a threat score in a sandbox VM.

Meraki MX Specific Requirements

The only licensing options for AMP on Meraki MX appliances are Advanced Security and SD-WAN. The dashboard’s Traffic Analysis feature needs to be enabled in order to operate. Meraki MX can inspect a wide range of file types, including as PDFs, ZIP files, executables (EXE, ELF, Mach-O), and Microsoft Office documents (including those based on XML). Important firmware updates were necessary by the middle of 2023 to guarantee that MX devices and the AMP Cloud could continue to communicate; if these are not performed, a “fail closed” behavior occurs, blocking all inspected file downloads.

You can also read What is Application server and How Application Server Works

Previous article
What is PortFast? Cisco PortFast raises End-User Interface
Next article
Kill Process Linux: Commands, Signals And Real Examples
Agarapu Naveen
Agarapu Naveenhttps://govindhtech.com/

About Us 

Contact Us

Privacy Polacy

Terms & Conidtions

© G Solutions 2026

Index