6. Managed Deployment Techniques¶
6.1. Deploy Agent¶
Cisco AMP supports managed installs and has different command line flags/switches that can be used to customize agent installation, which vary by operating system.
6.1.1. Windows¶
Note
Common flags and what they do:
- /R: For all Connector versions 5.1.13 and higher this must be the first switch used.
- /S: Used to put the installer into silent mode.
- /skiptetra 1: Skip installation of the TETRA driver.
- /skipdfc 1: Skip installation of the DFC driver.
/skiptetra and /skipdfc are both binary switches where 0 is false/off and 1 is true/on. This logic applies to any command switch, as detailed in the documentation below.
For more information please see Chapter 3 of Deployment Strategy Guide or Chapter 7 of the User Guide here.
6.1.1.1. Deploy Windows AMP for Endpoint¶
When installing on a Windows Server/Domain Controller:
amp_GroupName.exe /R /S /skiptetra 1 /skipdfc 1
When installing on Windows Desktops:
amp_GroupName.exe /R /S
6.1.1.2. Deploy Windows AMP for Endpoint With No UI Elements¶
When installing on a Windows Server/Domain Controller:
amp_GroupName.exe /R /S /skiptetra 1 /skipdfc 1 /desktopicon 0 /startmenu 0 /contextmenu 0
When installing on Windows Desktops:
amp_GroupName.exe /R /S /desktopicon 0 /startmenu 0 /contextmenu 0
6.1.1.3. Deploy Windows AMP for Endpoint and Specify the Installation Parameters¶
For a complete list of command line switches that can be used during installation please see Chapter 3 of Deployment Strategy Guide or Chapter 7 of the User Guide here. You can then prompt the user for the value of each switch.
6.1.1.4. Upgrade Windows AMP for Endpoints Connector¶
To upgrade the connector keeping the deployment settings you must read the command line switches used during the
previous installation from the local.xml:
Note
The local.xml is found in Cisco AMP install directory which can be found by checking the registry key value of HKEY_LOCAL_MACHINE\SOFTWARE\Immunet Protect\InstallDir.
/config/install/switches/skipdfc/config/install/switches/skiptetra/config/install/switches/skipexprevprereqcheck/config/install/switches/desktopicon/config/install/switches/startmenu/config/install/switches/contextmenu/config/install/switches/overridepolicy
For example if the local.xml contained:
...
</agent>
<install>
<switches>
<skipdfc>1</skipdfc>
<desktopicon>0</desktopicon>
<sendfile>1</sendfile>
<versioncheck>0</versioncheck>
<noadmin>0</noadmin>
<skiposcheck>0</skiposcheck>
<skiptetra>1</skiptetra>
<contextmenu>0</contextmenu>
<startmenu>0</startmenu>
<trayicon>0</trayicon>
<overridepolicy>1</overridepolicy>
<skipexprevprereqcheck>0</skipexprevprereqcheck>
<overrideinstpathlength>0</overrideinstpathlength>
<renameinstalldir>1</renameinstalldir>
</switches>
</install>
<janus>
...
Then you would use the following command to upgrade:
amp_GroupName.exe /R /S /skipdfc 1 /skiptetra 1 /skipexprevprereqcheck 0 /desktopicon 0
/startmenu 0 /contextmenu 0 /overridepolicy 1
6.1.2. Linux¶
6.1.2.1. Deploy Linux AMP for Endpoint Connector¶
For RHEL/CentOS versions 6-8 please go here and select the group you will be deploying a connector for. Next, select the distribution of Linux you will be using and copy the URL it creates. Then, run the following two commands:
wget <CopiedURL> -o amp_<GroupName>_rhel-<LinuxDistribution>.rpm
yum install -y amp_<GroupName>_rhel-<LinuxDistribution>.rpm
6.1.2.2. Upgrade Linux AMP for Endpoints Connector¶
To upgrade RHEL/CentOS versions 6-8 connectors please go here and select the group for the connector. Next, select the distribution of Linux that was used and copy the URL it creates. Then, run the following two commands:
wget <CopiedURL> -o amp_<GroupName>_rhel-<LinuxDistribution>.rpm
yum install -y amp_<GroupName>_rhel-<LinuxDistribution>.rpm
6.1.3. MacOS¶
6.1.3.1. Deploy MacOS AMP for Endpoint Connector¶
Once you have the connector on the endpoint, execute the following commands to install:
Please modify the file name to whatever the file was saved as.
hdiutil attach amp_GroupName.dmg
installer -pkg /Volumes/ampmac_connector/ciscoampmac_connector.pkg -target /
hdiutil detach /Volumes/ampmac_connector
6.1.3.2. Upgrade MacOS AMP for Endpoints Connector¶
To upgrade, get the connector on the endpoint and execute the following commands to install:
Please modify the file name to whatever the file was saved as.
hdiutil attach amp_GroupName.dmg
installer -pkg /Volumes/ampmac_connector/ciscoampmac_connector.pkg -target /
hdiutil detach /Volumes/ampmac_connector
6.2. Check Agent Status¶
6.2.1. Windows¶
6.2.1.1. Installation Status¶
To confirm installation was successful look for a service that contains the string CiscoAMP.
6.2.1.2. Connector Status¶
To find the connector state and version for Windows computers check for a running service that contains CiscoAMP.
If a service exists you can then check the version of the service.
6.2.2. Linux¶
6.2.2.1. Installation Status¶
To confirm if the AMP connector is installed check for the following file /opt/cisco/amp/bin/ampdaemon.
6.2.2.2. Connector Status¶
To find the connector state and version for Linux computers with the AMP for Endpoints connector you first check if
there is a running process named ampdaemon. To get the version read the value of /Signature/Object/config/agent/version
from /opt/cisco/amp/etc/global.xml.
6.2.3. MacOS¶
6.2.3.1. Installation Status¶
To check if the AMP connector is installed check for the following file /opt/cisco/amp/ampdaemon.
6.2.3.2. Connector Status¶
To find the connector state and version for MacOS computers with the AMP for Endpoints connector you first check if
there is a running process named ampdaemon. To get the version read the value of /Signature/Object/config/agent/version
from /opt/cisco/amp/etc/global.xml.
6.3. Get Agent GUID¶
6.3.1. Windows¶
To get the AMP InstallDir check the registry key value of HKEY_LOCAL_MACHINE\SOFTWARE\Immunet Protect\InstallDir.
Read the value of /config/agent/uuid from $AMP_InstallDir\local.xml.
Default location is: C:\Program Files\Cisco\AMP\local.xml
6.3.2. Linux¶
Read the value of /config/agent/uuid from /opt/cisco/amp/etc/local.xml.
6.3.3. MacOS¶
Read the value of /config/agent/uuid from /Library/Application Support/Cisco/AMP for Endpoints Connector/local.xml.
6.4. Uninstall¶
6.4.1. Full Uninstall¶
This action will uninstall AMP for Endpoints and remove all data from disk. If you later re-install AMP on the computer it will register with a new GUID.
6.4.1.1. Windows¶
To remove AMP from Windows please do the following:
- Find the directory path for the
uninstall.exe%AMP_InstallDir\%VERSIONby checking the image path of the Cisco AMP for Endpoints process. The Service name will beCiscoAMP_%VERSION. The image path will be%AMP_InstallDir\%VERSION\sfc.exe. - Navigate to the directory. Here is an example
C:\Program Files\Cisco\AMP\7.2.7. - Run the following command:
uninstall.exe /S /full 1 /password <PASSWORD>
Note
The /password switch is only required if a Connector Protection Password is configured. If it is not provided the
/password switch is ignored.
6.4.1.2. Linux¶
To remove AMP from Linux please run these commands:
yum remove ciscoampconnector -y
/opt/cisco/amp/bin/purge_amp_local_data
6.4.1.3. MacOS¶
To remove AMP from MacOS please run this command:
installer -pkg "/Applications/Cisco AMP/Uninstall AMP for Endpoints Connector.pkg" -target /
6.4.2. Uninstall But Leave Configuration¶
If you plan to re-install AMP for Endpoints at a later date you should use this action to leave configuration on the disk. This will result in the connector re-registering with the cloud using the same GUID. This capability is not available for Mac OS.
6.4.2.1. Windows¶
To remove AMP from Windows but leave the configuration please do the following:
- Find the directory path for
uninstall.exe%AMP_InstallDir%VERSIONby checking the image path of the Cisco AMP for Endpoints process. The Service name will beCiscoAMP_%VERSION. The image path will be%AMP_InstallDir%VERSION\sfc.exe. - Navigate to the directory. Here is an example
C:\Program Files\Cisco\AMP\7.2.7. - Run the following command:
uninstall.exe /S /full 0 /password <PASSWORD>
Note
The /password switch is only required if a Connector Protection Password is configured. If it is not provided the
/password switch is ignored.
6.4.2.2. Linux¶
To remove AMP from Linux but leave the configuration please run this command:
yum remove ciscoampconnector -y
6.5. Starting and Stopping Agents¶
6.5.1. Starting Agents¶
6.5.1.1. Windows¶
Start agent with the net start and the Cisco AMP Service display name:
cmd.exe /c "net start Cisco AMP for Endpoints Connector 7.2.7"
Or start agent with powershell and the Cisco AMP Service name:
powershell.exe Start-Service CiscoAMP_7.2.7
Note
To get the name of the service check for a Service name that starts with CiscoAMP_.
Note
The Service name and Display name will both change based on the version number installed.
6.5.1.2. Linux¶
Start agent in RHEL/CentOS versions 6 and below:
initctl start cisco-amp
Start agent in RHEL/CentOS versions 7 and above:
systemctl start cisco-amp
6.5.1.3. MacOS¶
Start agent with the following command:
launchctl load /Library/LaunchDaemons/com.cisco.amp.daemon.plist
6.5.2. Stopping Agents¶
6.5.2.1. Windows¶
Find the directory path for sfc.exe %AMP_InstallDir%VERSION by checking the image path of the Cisco AMP for
Endpoints process. The Service name will be CiscoAMP_%VERSION. The image path will be
%AMP_InstallDir%VERSION\sfc.exe. To stop the agent run the following command:
sfc.exe -k <PASSWORD>
Note
The <PASSWORD> parameter is only required if a Connector Protection Password is configured.
6.5.2.2. Linux¶
Stop agent in RHEL/CentOS versions 6 and below:
initctl stop cisco-amp
Stop agent in RHEL/CentOS versions 7 and above:
systemctl stop cisco-amp
6.5.2.3. MacOS¶
Stop agent with the following command:
launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
6.6. Troubleshooting¶
6.6.1. Support Tools¶
The AMP Support Tool will create a snapshot of system and AMP settings include AMP logs to be used by Cisco support to help diagnose issue with an AMP deployment. You should only need to run this tool at the request of Cisco Support.
Note
The -o in the following commands is where the support snapshot will be saved.
6.6.1.1. Windows¶
Find the directory path for ipsupporttool.exe %AMP_InstallDir%VERSION by checking the image path of the Cisco AMP for
Endpoints process. The Service name will be CiscoAMP_%VERSION. The image path will be %AMP_InstallDir%VERSION\sfc.exe.
Then run the following command:
"C:\Program Files\Cisco\AMP\7.2.7\ipsupporttool.exe" -o "<DesiredOutputDirectory>"
6.6.1.2. Linux¶
Run the following command:
"/opt/cisco/amp/bin/ampsupport" -o "<DesiredOutputDirectory>"
6.6.1.3. MacOS¶
Run the following command:
/Library/Application Support/Cisco/AMP for Endpoints Connector/SupportTool" -o "<DesiredOutputDirectory>"
6.6.2. Reboot Required¶
To check if AMP needs a Windows Client to Reboot, look for the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Immunet Protect\Reboot. Reboot Windows machines that have a pending reboot caused by
AMP for Endpoints. Pending reboots can be caused by an upgrade or an uninstallation.
6.6.3. Enable Debug Logging¶
Note
Debug logging will automatically turn off after the next policy update.
6.6.3.1. Windows¶
Find the directory path for sfc.exe %AMP_InstallDir%VERSION by checking the image path of the Cisco AMP for
Endpoints process. The Service name will be CiscoAMP_%VERSION. The image path will be
%AMP_InstallDir%VERSION\sfc.exe. To enable logging run the following command:
sfc.exe -l start
6.6.3.2. Linux¶
To enable logging run the following command:
echo "debuglevel 1" | /opt/cisco/amp/bin/ampcli
6.6.3.3. MacOS¶
To enable logging run the following commands:
echo "debuglevel 1" | /opt/cisco/amp/ampcli
6.6.4. Clear Cache¶
6.6.4.1. Windows¶
Find the directory path for sfc.exe %AMP_InstallDir%VERSION by checking the image path of the Cisco AMP for
Endpoints process. The Service name will be CiscoAMP_%VERSION. The image path will be
%AMP_InstallDir%VERSION\sfc.exe. To clear the cache run the following commands:
Note
You can get the Cisco AMP install directory by checking the registry key value of HKEY_LOCAL_MACHINE\SOFTWARE\Immunet Protect\InstallDir.
Note
The <PASSWORD> parameter is only required if a Connector Protection Password is configured.
Note
To get the name of the service check for a Service name that starts with CiscoAMP_.
sfc.exe -k <PASSWORD>
delete "C:\Program Files\Cisco\AMP\cache.db"
delete "C:\Program Files\Cisco\AMP\nfm_cache.db"
delete "C:\Program Files\Cisco\AMP\nfm_url_file_map.db"
delete "C:\Program Files\Cisco\AMP\event.db"
delete "C:\Program Files\Cisco\AMP\jobs.db"
delete "C:\Program Files\Cisco\AMP\history.db"
delete "C:\Program Files\Cisco\AMP\historyex.db"
powershell.exe Start-Service <ServiceNameOfCiscoAMP>
6.6.4.2. Linux¶
To clear cache in RHEL/CentOS versions 6 and below use the following commands:
initctl stop cisco-amp
rm -f "/opt/cisco/amp/etc/cloud_query.cache"
rm -f "/opt/cisco/amp/etc/cloud_nfm_query.cache"
rm -f "/opt/cisco/amp/etc/events.db"
initctl start cisco-amp
To clear cache in RHEL/CentOS versions 7 and above use the following commands:
systemctl stop cisco-amp
rm -f "/opt/cisco/amp/etc/cloud_query.cache"
rm -f "/opt/cisco/amp/etc/cloud_nfm_query.cache"
rm -f "/opt/cisco/amp/etc/events.db"
systemctl start cisco-amp
6.6.4.3. MacOS¶
To clear cache in MacOS run the following commands:
launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist
rm -f "/Library/Application Support/Cisco/AMP for Endpoints Connector/cloud_query.cache"
rm -f "/Library/Application Support/Cisco/AMP for Endpoints Connector/cloud_nfm_query.cache"
rm -f "/Library/Application Support/Cisco/AMP for Endpoints Connector/events.db"
launchctl load /Library/LaunchDaemons/com.cisco.amp.daemon.plist