Application Resilience policies for Cisco AMP for Endpoints

You can activate an Application Resilience policy for Cisco® Advanced Malware Protection for Endpoints (Cisco AMP) to collect information about the functional status of the Connector installed on your Windows devices and to view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.

Cisco AMP was renamed Cisco Secure Endpoint in version 7.4.1.

Application Resilience policies for Cisco AMP are supported on devices running:

  • a supported version of the Windows operating system

  • PowerShell version 5.1 or higher

    Due to PowerShell restrictions imposed by Microsoft, Application Resilience is not supported for versions 7.4.3 or higher on devices running Windows 11 SE.

  • one of the following versions of the Connector:

    • 7.4.1.x or higher (Cisco Secure Endpoint)

      Significant software changes in higher versions may cause health checks to become invalid.

    • 5.0.0 to 7.3.15 (Cisco AMP)

Cisco Secure Endpoint requires the installation of the Secure Endpoint Windows connector on the organization's devices.

Cisco AMP requires the installation of the Cisco AMP for Endpoints Windows Connector.

Both are referred to as the Connector in this documentation.

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by
  • Cisco Secure Endpoint (sfc.exe)
  • Cisco Security Connector Monitoring Service (cscm.exe)
 P P

One of the signers entered in the policy configuration

By default, Signers contains "Cisco Systems, Inc." and "

CISCO SYSTEMS CANADA CO".
Application name

The application uses one of the following names:

  • Cisco AMP for Endpoints Connector

  • Cisco Secure Endpoint

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by
  • Cisco AMP for Endpoints Connector (sfc.exe)
  • Cisco Security Connector Monitoring Service (cscm.exe)
 P P

One of the following:

  • Cisco Systems, Inc.
  • CISCO SYSTEMS CANADA CO
Application name

The application uses one of the following names:

  • Cisco AMP for Endpoints Connector

  • Cisco Secure Endpoint

You can configure an Application Resilience policy for Cisco Secure Endpoint to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to reinstall the Connector if it's not functioning or missing.

The Report and repair option isn't supported. Depending on the Absolute product licenses associated with your account, the Report and reinstall option may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue Resolution
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't running or aren't installed:

  • Cisco Secure Endpoint (sfc.exe)
  • Cisco Security Connector Monitoring Service (cscm.exe)

The RAR component downloads and installs the configured version of the application.

A device restart is required after the application is installed. The Secure Endpoint Agent doesn't force the device to restart, so a status of Not Compliant continues to show in the Application Resilience reports until the device user performs a restart. You can review the report's Status details to determine if a restart is required.
The expected version of the Connector isn't installed

You can configure an Application Resilience policy for Cisco AMP to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair the Connector if it's not functioning, or reinstall it if it's missing or can't be repaired.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue Resolution
Repair

One or more of the following services aren't running:

  • Cisco AMP for Endpoints Connector (sfc.exe)
  • Cisco Security Connector Monitoring Service (cscm.exe)

The RAR component restarts the service.

One or more of the following services aren't installed and the service's executable can be detected on the device:

  • Cisco AMP for Endpoints Connector (sfc.exe)
  • Cisco Security Connector Monitoring Service (cscm.exe)

The RAR component reinstalls each missing service.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

  • Cisco AMP for Endpoints Connector (sfc.exe)
  • Cisco Security Connector Monitoring Service (cscm.exe)

The RAR component downloads and installs the configured version of the application.

A device restart is required after the application is installed. The Secure Endpoint Agent doesn't force the device to restart, so a status of Not Compliant continues to show in the Application Resilience reports until the device user performs a restart. You can review the report's Status details to determine if a restart is required.
The Connector failed to be repaired, or the expected version of the Connector isn't installed

The installer:

  • must be an EXE file

  • can have any file name

The RAR component looks for the following files names when checking pre-cached installers:

Component File name
Installer Clients_FireAMPSetup.exe

Before you activate an Application Resilience policy, you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.

To configure the application version:

  1. Under Application version, select 7.4.1.* or higher from the drop-down.

  2. Under Cisco AMP version, enter the version of the Connector you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the major version number, for example, 7.* or 7.4.*.

    Make sure the version you are entering is consistent with version 7.4.1.x or higher.

If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

To configure the Cisco Secure Endpoint specific settings:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.

  1. [Optional] Under Additional installer commands, enter the applicable command-line parameters to configure any settings not covered by the policy configuration. For more information about the available command line parameters, see Cisco's documentation.

  2. [Optional] Under Uninstallation Parameters, enter the applicable command-line parameters to configure any uninstall settings not covered by the policy configuration. For more information about the available command-line parameters, see Cisco's documentation.

Before you activate an Application Resilience policy, you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.

To configure the application version:

  1. Under Application version, select 5.0.0-7.3.15 from the drop-down.

  2. Under Cisco AMP version, enter the version of the Connector you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You must enter the full version number, for example, 7.2.20. Wildcard "*" characters are not accepted.

    Make sure the version you are entering is consistent with version 5.0.0 to 7.3.15.

If you selected the Report, repair, and reinstall option, you also need to configure this setting in addition to the settings in Configuring Application Resilience policies.

To configure the Cisco AMP specific setting:

  1. [Optional] Under Additional installer commands, enter the applicable command-line parameters to configure any settings not covered by the policy configuration. For more information about the available command line parameters, see Cisco's documentation.