Initiate Scheduled Scans on FireAMP / AMP for Endpoints

Introduction

You can run Scheduled Scans on FireAMP daily, weekly, or monthly depending on your requirements. When you create scheduled scans, you need to provide administrative user credentials for your machines. This document addresses the required permissions of the user account for successful scheduled scans.

Prerequisites

Requirements

• Access to the FireAMP Dashboard
• Credentials for an Administrator account for Windows PCs
• FireAMP 3.x for Windows XP or later - Scheduled Scans
• FireAMP 4.x for Windows XP or later - Scheduled Scans and Endpoint IOC Scans

Before You Begin

When you add a scheduled scan in a FireAMP policy, it increases the policy serial number. The endpoints pull down the new policy when they send heartbeat. Using the supplied credentials, FireAMP creates a scheduled task within Windows, and later executes the task. Because of this design, we need to make sure that the account we use has the correct permissions.

Before we configure a scheduled, scan there are two main requirements for a user account that you plan to use.

Note: These permissions also apply for Endpoint IOC scans.

1. The account must be an administrator account. This could either be a local administrator or domain administrator.
2. The account must be able to Log on as batch.

The Log on as batch permission is configured via group policy. If this is not configured for your domain, then administrative accounts by default should be able to log on as batch. If it is configured for your domain, the account must belong to a group defined within the Group Policy Object (GPO).

Configuration

The following steps apply to a domain controller running Windows Server 2008 R2:

Caution: It is your responsibility to ensure correct group policy configuration on the Windows server. Cisco is not responsible for any issues caused by incorrect group policy configurations. 

1. Go to Start > Administrative Tools > Group Policy Management.
   
   
2. Expand the Forest > Domains > Your_Domain_Name > Group Policy Objects.
   
   
   
   
3. Right click on the policy you wish to modify and choose "Edit".
   
   
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   
   
   
   
5. Double click on Log on as batch job.
   
   
6. Select Add User or Group.
   
   
7. Click Browse, then enter the desired user or group name.
   
   
8. Click Check Name to have it validated.
   
   
9. Click on OK until you get back to the Group Policy Management Editor.

Apply the group policy to your domain or group if it is not already applied. Now that we have configured the user account, we will configure the scan in the FireAMP dashboard.

1. Log in to the FireAMP Dashboard.
   
   
2. Navigate to Management > Policies.
   
   
   
   
3. Edit the desired policy.
   
   
4. Navigate to the File tab > Scheduled Scans. Enter a username and password.
   
   
   

   Note: The user name must be in the domain\username format. Domain suffix is not necessary.

5. Configure the schedule. Use the pencil, plus and minus icons to modify, add, remove scan schedules. You can enter multiple schedules here. You can select either Daily, Weekly, or Monthly in addition to a 24 hour time to initiate the scan. You can also choose the Scan Type (Flash or Full).
   
   
   
   
6. Select Save then select Update to commit the policy changes.

Verification

After the policies are updated on the machines, you should see one or more tasks in the Windows Task Scheduler with the name Immunet like the screenshot below:

Troubleshooting

Policy is updated, but a scheduled task is not found

If your policy updates but you do not see a scheduled task, this is most likely due to the account you used either having the wrong password, or insufficient permission to create tasks (not administrator).

Task is created, but fails to run

If the task is created, but fails to run, the account most likely does not have the ability to Log on as batch. Please review the above configuration steps to ensure that your account is configured correctly.