Configure a Simple Custom Detection List on the AMP for Endpoints Portal

Introduction

This document describes the steps to create a Simple Custom Detection list to detect, block and quarantine specific files to prevent the files to be allowed on devices that have installed the Advanced Malware Protection (AMP) for Endpoints connectors.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Access to the AMP portal
• Account with administrator privileges
• File size no more than 20 MB

Components Used

The information in this document is based on Cisco AMP for Endpoints console version 5.4.20190709.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Workflow

The Simple Custom Detection list option uses this workflow:

• The Simple Custom Detection list created from the AMP portal.
• A Simple Custom Detection list applied in a Policy previously created.
• The AMP Connector installed on the device and applied in the Policy.

Configuration

In order to create a Simple Custom Detection list, follow these steps:

Step 1. On the AMP Portal, navigate to Outbreak Control > Simple option, as shown in the image.

Step 2. On the Custom Detections – Simple option, click Create button to add a new list, choose a name to identify the Simple Custom Detection list and save it, as shown in the image.

Step 3. Once the list is created, click on the Edit button to add the list of the files you want to block, as shown in the image.

Step 4. On the Add SHA-256 option, paste the SHA-256 code previously collected from the specific file you want to block, as shown in the image.

Step 5. On the Upload File option, browse for the specific file that you want to block, once the file is uploaded, the SHA-256 of this file is added into the list, as shown in the image.

Step 6. The Upload Set of SHA-256s option allows to add a file with a list of multiple SHA-256 codes previously acquired, as shown in the images.

Step 7. Once the Simple Custom Detection list is generated, navigate to Management > Policies and choose the policy where you want to apply the list previously created, as shown in the images.

Step 8. Click on the Edit button and navigate to Outbreak Control > Custom Detections – Simple,  select the list previously generated on the drop-down menu and save the changes, as shown in the image.

Once all steps are performed, and the connectors are synchronized to the last policy changes, the Simple Custom Detection takes effect.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Warning: If a file is added to a Simple Custom Detection list, the cache time must expire before the detection takes effect.

Note: When you add a Simple Custom Detection, it is subject to be cached. The length of time a file is cached depends on its disposition, as shown in this list:
• Clean files: 7 days
• Unknown files: 1 hour
• Malicious files: 1 hour