This document describes the changes added to the Cisco-Maintained Exclusions.
Cisco-Maintained Exclusions are created and maintained by Cisco to provide better compatibility between the Advanced Malware Protection (AMP) for Endpoints Connector and antivirus, security or other software, these exclusions can be added to new versions of an application.
Contributed by Caly Hess, Cisco Engineer.
Cisco recommends that you have knowledge of these topics:
Exclusions in AMP for Endpoints
The information in this document is based on these software and hardware versions:
AMP for Endpoints console version 5.4.20190820
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Expectations When You Update
When the Cisco-Maintained lists are changed, a policy update occurs on the backend to reflect that change. As each of the Endpoints use that list check in on their heartbeat, they pull the updated policy. These policy changes are not reflected in the audit log as it is technically a change to the exclusion list, not the policy itself, and Cisco-maintained exclusion lists do not exist within the normal audit log on individual consoles. For large scale environments, this looks like a flood of policy updates and the end result will be better performance on each of the Endpoints.
The update period depends on each endpoint. If all the machines are online, the updates would take place within 1-2 heartbeats. If this is a global environment, updates continue to occur as machines come online so don't be surprised to see additional policy updates 24-48 hours after the maintained list is pushed.