Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Available Languages

Download Options

  • PDF
    (543.0 KB)
    View with Adobe Reader on a variety of devices
Updated:August 6, 2019

Available Languages

Download Options

  • PDF
    (543.0 KB)
    View with Adobe Reader on a variety of devices
Updated:August 6, 2019


Product Overview

Cisco® Advanced Malware Protection (AMP) for Endpoints integrates prevention, detection, and response capabilities in a single solution, leveraging the power of cloud-based analytics. AMP for Endpoints will protect your Windows, Mac, Linux, Android, and iOS devices through a public or private cloud deployment.


In the rapidly evolving world of malware, threats are becoming harder and harder to detect. The most advanced 1% of these threats, those that will eventually enter and wreak havoc in your network, could potentially go undetected. However, AMP for Endpoints provides comprehensive protection against that 1%. This security software prevents breaches, blocks malware at the point of entry, and continuously monitors and analyzes file and process activity to rapidly detect, contain, and remediate threats that can evade front-line defenses.


Stopping threats at the earliest point in time ensures minimal damage to endpoints and less downtime after a breach. AMP for Endpoints employs a robust set of preventative technologies to stop malware, in real time, protecting endpoints against today’s most common attacks.

File reputation: AMP for Endpoints contains a comprehensive database of every file that has ever been seen and a corresponding good or bad disposition. As a result, known malware is quickly and easily quarantined at the point of entry without any processor-intensive scanning.

Antivirus: AMP for Endpoints includes constantly updated, definition-based antivirus engines for both Windows and Mac or Linux endpoints. All endpoints benefit from custom signature-based detection, allowing administrators to deliver robust control capabilities and enforce blacklists. The antivirus signature database resides locally on each endpoint, meaning it does not rely on cloud connectivity to operate. This ensures that your endpoints are protected both on- and offline.

Polymorphic malware detection: Malware actors will often write different variations of the same malware to avoid common detection techniques. AMP for Endpoints can detect these variant, or polymorphic, malwares through loose fingerprinting. Loose fingerprinting will look for similarities between the suspicious file’s content and the content of known malware families, and convict if there is a substantial match.

Machine learning analysis: AMP for Endpoints is trained by algorithms to “learn” to identify malicious files and activity based on the attributes of known malware. Machine learning capabilities in AMP for Endpoints are fed by the comprehensive data set of Cisco Talos to ensure a better, more accurate model. Together, the machine learning in AMP for Endpoints can help detect never-before-seen malware at the point of entry.

Exploit prevention: Memory attacks can penetrate endpoints, and malware evades security defenses by exploiting vulnerabilities in applications and operating system processes. The exploit prevention feature will defend endpoints from exploit-based, memory injection attacks.


Though malware prevention techniques are necessary for a complete next-generation endpoint security solution, combatting advanced threats requires additional measures. AMP for Endpoints continuously monitors endpoints to help detect new and unknown threats.

Malicious activity protection: AMP for Endpoints continually monitors all endpoint activity and provides run-time detection and blocking of abnormal behavior of a running program on the endpoint. For example, when endpoint behavior indicates ransomware, the offending processes are terminated, preventing endpoint encryption and stopping the attack.

Cloud-based indicators of compromise: Cisco’s industry-leading threat intelligence organization, Talos, constantly analyzes malware to discover new threat types and build behavioral and forensic profiles for emerging threats, otherwise known as Indicators of Compromise (IoCs). The forensic data, such as file locations or modifications to registry key values, are all data that AMP for Endpoints can use to help administrators identify systems that have been breached.

Host-based IoCs: Administrators can write their own custom IoCs for use in incident response to scan for postcompromise indicators across the entire endpoint deployment. Custom IoCs are written in an open standard format (OpenIOC) making it easy to leverage data from any existing intelligence feeds.

Vulnerabilities: AMP for Endpoints identifies vulnerable software across your environment to help reduce the attack surface. Endpoints running vulnerable software are listed out and are given priority based on industry CVE (Common Vulnerabilities and Exposures) scoring: the more severe a vulnerability, the more prominent it will be on the list. This provides administrators with a list of all hosts that need to be patched to prevent future exploit.

Low prevalence: AMP for Endpoints will automatically identify executables that exist in low numbers across your endpoints and analyze those samples in our cloud-based sandbox to uncover new threats. Targeted malware or advanced persistent threats will often fly under the radar and start on only a few endpoints, but with low prevalence, AMP for Endpoints will automatically threat hunt to help easily uncover the 1% of threats that would have otherwise gone unnoticed.

Cognitive intelligence: AMP for Endpoints performs agentless detections when deployed alongside a compatible web proxy through cognitive intelligence. This uses machine learning and artificial intelligence to correlate traffic generated by users to reliably identify command and control traffic, data exfiltration, and possibly unwanted applications already operating in the environment. For example, browser injection attacks, which leave no file footprint on the endpoint, can be identified based on their web traffic, which cognitive intelligence will see and analyze. Being agentless, cognitive intelligence also provides administrators visibility into any Internet-connected devices that can’t have a traditional endpoint security agent deployed onto them. See an overview here.


As the number and variety of advanced threats designed to slip past preventative measures increase, the possibility of a breach should be treated as an eventuality. With that mindset, a powerful toolset should be deployed to help easily identify infected endpoints and understand the scope of an attack. In addition to multiple prevention and detection capabilities, AMP for Endpoints offers granular endpoint visibility and response tools to handle security breaches quickly and efficiently.

Dashboards and inbox: Reports are not limited to event enumeration and aggregation. The actionable dashboards built into AMP for Endpoints enable streamlined management and faster response. Events and endpoints are categorized by priority and tied into workflows to track progress during investigation.


Figure 1.           

AMP for Endpoints dashboard

Endpoint forensics: Powerful tools like file trajectory and device trajectory use AMP’s continuous analysis capabilities to show you the full scope of a threat. AMP identifies all affected applications, processes, and systems to pinpoint patient zero, as well as the method and point of entry. These capabilities help you quickly understand the scope of the problem by identifying malware gateways and the path that attackers are using to gain a foothold into other systems.


Figure 2.           

AMP for Endpoints device trajectory

Dynamic analysis: AMP for Endpoints includes a built-in, highly secure sandboxing environment, powered by Cisco Threat Grid, to analyze the behavior of suspect files. File analysis produces detailed information on files, including the severity of behaviors, the original file name, screenshots of the malware executing, and sample packet captures. Armed with this information, you’ll have a better understanding of what is necessary to contain the outbreak and block future attacks.

Retrospective security: AMP for Endpoints employs patented technology that automatically uncovers advanced threats that have entered your environment. Powered by continuous monitoring, AMP for Endpoints correlates new threat information with your past history and automatically quarantines files the moment they start to exhibit malicious behavior. This automated response to the latest threats provides a faster time to detection and greatly reduces the proliferation of the malware.

Command line visibility: Gaining visibility into command line arguments helps to determine if legitimate applications, including Windows utilities, are being used for malicious purposes. AMP for Endpoints can uncover hard-to-detect behavior, such as the use of vssadmin to delete shadow copies or disable safe boots; PowerShell-based exploits; privilege escalation; modifications of access control lists; and attempts to enumerate systems.

Cisco AMP for Endpoints Leads in Third-Party Testing

In NSS Labs’ Advanced Endpoint Protection testing, AMP for Endpoints demonstrated itself as an endpoint security leader, earning a “recommended” rating due to strong security effectiveness and leading total cost of ownership. The security software:

     Blocked 100% of web-based attacks

     Blocked 100% of email-borne attacks

     Led overall total cost of ownership

     Resulted in no false positives

Platform Support and Compatibility

AMP for Endpoints is compatible with the following operating systems


     Windows 7

     Windows 8, 8.1

     Windows 10

     Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019


     Red Hat Enterprise Linux or CentOS 6.9, 6.10, 7.4, 7.5, 7.6


     Android 2.1 (Éclair) to 9.0 (Pie)


     iOS 11.3 and above

     macOS 10.12, 10.13, 10.14

Warranty Information

Find warranty information on the Cisco.com Product Warranties page.

Ordering Information

Find the ordering guide here.

Cisco Capital

Flexible Payment Solutions to Help You Achieve Your Objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

For More Information

For more information, please visit the following link:

     Cisco AMP for Endpoints

Learn more