fireamp private cloud deployment...

FireAMP Private CloudDeployment Strategy

Version 2.0

Legal Notices

Cisco, the Cisco

logo, Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, and certain other trademarks and logos are trademarks or registered trademarks of Cisco and/or its affiliates in the United States and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

The legal notices, disclaimers, terms of use, and other information contained herein (the "terms") apply only to the information discussed in this documentation (the "Documentation") and your use of it. These terms do not apply to or govern the use of websites controlled by Cisco or its subsidiaries (collectively, "Cisco") or any Sourcefire-provided or Cisco-provided products. Sourcefire and Cisco products are available for purchase and subject to a separate license agreement and/or terms of use containing very different terms and conditions.

The copyright in the Documentation is owned by Cisco and is protected by copyright and other intellectual property laws of the United States and other countries. You may use, print out, save on a retrieval system, and otherwise copy and distribute the Documentation solely for non-commercial use, provided that you (i) do not modify the Documentation in any way and (ii) always include Cisco’s copyright, trademark, and other proprietary notices, as well as a link to, or print out of, the full contents of this page and its terms.

No part of the Documentation may be used in a compilation or otherwise incorporated into another work or with or into any other documentation or user manuals, or be used to create derivative works, without the express prior written permission of Cisco. Cisco reserves the right to change the terms at any time, and your continued use of the Documentation shall be deemed an acceptance of those terms.

© 2004 - 2013 Cisco and/or its affiliates. All rights reserved.

Disclaimers

THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CISCO MAY CHANGE THE DOCUMENTATION FROM TIME TO TIME. CISCO MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF ANY CISCO-CONTROLLED WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION. CISCO-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE PROVIDED "AS IS" AND CISCO DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL CISCO BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN ANY WAY RELATED TO CISCO-CONTROLLED WEBSITES OR THE DOCUMENTATION, NO MATTER HOW CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF CISCO IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

2015-Jul-21 11:32

Chapter 1: Setup.............................................................................................. 3System requirements ........................................................................................... 3

Demo Mode............................................................................................. 3Production Mode ..................................................................................... 4Browser requirements............................................................................. 4

Demo Install ......................................................................................................... 5

Production Install .................................................................................................. 9Before you begin...................................................................................... 9OVA Import .............................................................................................. 9Configuration ......................................................................................... 10

Chapter 2: Planning....................................................................................... 17System requirements and supported operating systems................................... 18

Incompatible software and configurations.......................................................... 19

Gather information about endpoint security ....................................................... 19

Create exclusions for FireAMP in other security products ................................. 20Creating Exclusions in McAfee Products............................................... 20Creating Exclusions in Symantec Products............................................ 21Creating Exclusions in Microsoft Security Essentials ............................ 21

Gather information about custom apps .............................................................. 22

Gather information about proxy servers ............................................................. 22

Check firewall rules............................................................................................. 23

Selecting computers for evaluation deployment ................................................ 23

Chapter 3: Portal Configuration .................................................................. 24Create exclusions ............................................................................................... 24

Create outbreak control lists............................................................................... 26

Create policies .................................................................................................... 27

Create groups ..................................................................................................... 29

Create whitelist from gold master ...................................................................... 30

Download installer .............................................................................................. 30

Chapter 4: Deploying the FireAMP Connector ......................................... 32Command line switches ..................................................................................... 32

Installer exit codes................................................................................. 33

Deployment ........................................................................................................ 34Microsoft System Center Configuration Manager ................................. 34

Version 2.0 Sourcefire FireAMP Deployment Strategy 1

Chapter 5: Troubleshooting.......................................................................... 41Initial Configuration Failure ................................................................................. 41

Performance ....................................................................................................... 41

Outlook performance.......................................................................................... 42

Copy, move, or execute events not in Device Trajectory .................................... 42

Network events not in Device Trajectory............................................................ 43

Policy not updating.............................................................................................. 43

Simple Custom Detections................................................................................. 44

Custom Whitelists .............................................................................................. 45

Application Blocking............................................................................................ 45

Contacting Support ............................................................................................. 46

Appendix A: Subscription Agreement........................................................... 48


CHAPTER 1SETUP

This section will walk you through the steps to install a FireAMP Private Cloud device. Before installing the Private Cloud device familiarize yourself with the system requirements and other prerequisites.

System requirementsVMWare Workstation and Fusion only support FireAMP Private Cloud demo installs. A full production installation requires vSphere ESX. Therefore, the system requirements for Workstation and Fusion only reflect the requirements for demo mode, while the requirements for vSphere ESX are for a production install.

Demo ModeVMWare Worsktation 9 or higher

• Dual core processor

• 16 GB RAM

• 238 GB free disk space

VMWare Fusion 5 or higher

• Dual core processor

• 16 GB RAM



SetupSystem requirements Chapter 1

Production ModeProduction mode is only supported on vSphere ESX hosts.

Proxy ModevSphere ESX 5 or higher

• 8 CPUs

• 32 GB RAM


• RAID Type: RAID 10 (striped mirror)

• Number of RAID groups: 1

• Number of drives per RAID group: 4

• Total number of drives: 4 (SSD recommended)

• Drive capacity: 120 GB

• Capacity of a single RAID group: 240 GB

• Reads: 100,000 4K IOPS

• Writes: 90,000 4K IOPS

Air Gap ModevSphere ESX 5 or higher

• 8 CPUs

• 128 GB RAM

• 1 TB free disk space

• RAID Type: RAID 10 (striped mirror)

• Number of RAID groups: 1

• Number of drives per RAID group: 8

• Total number of drives: 8 (SSD required)

• Drive capacity: 250 GB

• Capacity of a single RAID group: 1000 GB

• Reads: 100,000 4K IOPS

• Writes: 90,000 4K IOPS

Browser requirementsTo access the Sourcefire FireAMP portal and FireAMP Console your browser must support WebSockets and JavaScript. The following browsers are supported:

• Microsoft Internet Explorer 9 or higher

• Mozilla Firefox 14 or higher


SetupDemo Install Chapter 1

• Apple Safari 6 or higher

• Google Chrome 20 or higher

Demo InstallThis section will guide you through installing FireAMP Private Cloud in Demo mode. Demo mode can be installed on VMWare ESXi as well as Worsktation and Fusion. Demo mode is a scaled-back version of FireAMP Private Cloud that allows you to test and demonstrate the product on a laptop or workstation. Demo mode can run on VMware Fusion and Workstation using NAT or Bridged networking. Host-only networking cannot be used with the Sourcefire FireAMP device. You will need to configure your VM to use 4 CPU cores, 32 GB of RAM, and 1 TB of disk space to install the OVA.

1. Import the Sourcefire FireAMP Deployment Strategy OVA file into VMWare.

In VMWare Workstation select File > Open and choose the OVA you downloaded. In VMWare Fusion select File > Import and choose the OVA file you downloaded. In VMWare vSphere select File > Deploy OVF Template and choose the OVA file you downloaded.

2. Once you have imported the OVA file you will need to power it on to complete the installation.

3. When the startup is complete the device console will show the URL of the Sourcefire FireAMP Administration Portal and a temporary password.

Open a browser and navigate to the URL for the Administration Portal where you will be prompted for a password. Enter the temporary password and click the Login button.



4. You will then be prompted to change the password for the Administration Portal. Enter your new password then click Change Password.

5. Read and accept the end-user license agreement to continue with the configuration.

6. Next you can choose whether to perform a new installation of FireAMP Private Cloud or restore your device from backup. Choose Clean Installation by clicking the Start button below it.

If you are restoring the device select the location of the backup file you want to use. Select Local, Remote, or Upload depending on where your backup file is located, then provide the location. Click Start once you have provided the backup file.

7. Select whether to install your Private Cloud device in cloud proxy or air gap mode. If the Private Cloud device will not have a connection to the Internet and you want to manually download and install updates choose air gap mode.

WARNING! To switch between air gap and cloud proxy modes after installation is complete you will have to backup, reinstall, and restore your Private Cloud device.

8. You will then be prompted to choose between a Demo or Production installation type. Click on the Next button below Demo to proceed.

WARNING! You should only choose Demo mode to test FireAMP Private Cloud. Demo mode is not intended to support multiple endpoints in production environments.



9. On the License page, upload the license file you received for your demo install and enter the accompanying passphrase.

10. On the FireAMP Console Account page you must enter information for the first user account on your FireAMP Console. This will be the account used to log into the FireAMP Console once the Sourcefire FireAMP Deployment Strategy installation is complete.

11. (Cloud proxy mode only) On the Cloud Server page you can select the upstream server for your device to communicate with. You can choose North America, Europe, or a custom upstream server. The custom upstream server must be another Private Cloud device. Next choose whether you want your device to use TCP 443 or 32137 to communicate with the upstream server. If you choose TCP 443 you can also select whether the device validates SSL certificates or not.



12. (Air gap mode only) If you selected air gap mode you will be prompted to download the update ISO creator script. You will use this script on an Internet-connected computer to download device and content updates that will be transferred to your Private Cloud device running in air gap mode.

13. Enter the email addresses you want to receive alert notifications for the Sourcefire FireAMP device. You can use email aliases or specify multiple addresses using a comma separated list. These notifications are not the same as FireAMP Console subscriptions. Select the frequency for critical and regular notifications. Click Next.

14. Enter the addresses of one or more NTP servers you want to use for time synchronization. You can use internal or external NTP servers and specify more than one using a comma or space delimited list. Synchronize the time with your browser or run amp-ctl ntpdate from the device console to force an immediate time synchronization with your NTP servers.

15. You must download and verify a backup of your configuration before proceeding with the install. Click the Download button to save the backup to your local computer. Once the file has been downloaded, click Choose File to upload the backup file and verify that it is not corrupt. Click Next to verify the file and proceed.

16. Review your Sourcefire FireAMP settings before beginning the installation. If you edit any settings you will have to download a new backup file with the new settings and verify it. Once you are satisfied with your configuration settings click Start Installation.

17. When the installation has completed you will receive a message to reboot the Sourcefire FireAMP device. Click the Reboot button. When the device has finished rebooting you will be taken to the Sourcefire FireAMP Administration Portal landing page.

Now that the configuration and installation of the device is complete you can launch the FireAMP Console from the Administration Portal. Use the account you created in step 10 to log into the FireAMP Console.


SetupProduction Install Chapter 1

Production InstallA production install of Sourcefire FireAMP can only be performed on a VMware ESXi server using vSphere. You will need to configure your VM to use 8 CPU cores, 128 GB of RAM, and 1 TB of disk space to install the OVA. This section will guide you through installing Sourcefire FireAMP in Production mode.

Before you beginProduction mode requires certain infrastructure to be in place before beginning the installation.

1. NTP server

You will need to allow your Sourcefire FireAMP device to access a Network Time Protocol (NTP) server. The NTP server can be external or within your network.

2. DNS

Two DNS names will need to be created for your Sourcefire FireAMP device interfaces. One of these names will resolve to the FireAMP Console interface and the other will resolve to the Cloud Server interface.

3. Static IP addresses

The Sourcefire FireAMP device requires two static IP addresses for its network interfaces. Alternatively, you can reserve IP addresses in DHCP for the MAC addresses of the interfaces.

4. SMTP

If you plan to set up notifications to use an email relay you will need to have the information for the SMTP server you plan to use including authentication information if required.

5. Firewall and Proxy configuration

In addition to access to any of the above services that you configure (NTP, DNS, SMTP), you will need to allow access from the Private Cloud device to the upstream server on either TCP port 32137 or 443. You will also need to allow access from the computers you plan to deploy the FireAMP Connectors on to the Private Cloud device on either TCP port 32137 or 443. If you use a proxy server you will need to have the proxy hostname, port, and authentication information available.

OVA Import1. From vSphere select File > Deploy OVF Template.

2. Browse for the location of your Sourcefire FireAMP OVA then click Next.

3. Verify that the OVA has a valid signature from Cisco and click Next.



4. Supply the name for your device and specify the install location in your inventory and click Next.

5. Select the host or cluster where you want to install your device.

6. For the disk format choose Thick Provision Lazy Zeroed.

7. Choose the appropriate network mapping for your device and click Next.

8. Review your configuration options and click Finish.

9. You can increase drive space for your device after the virtual machine has been imported. Right-click the device in vSphere and click Edit Settings. Consult your virtual machine software manual for details on adding additional hard disks.

Configuration10. Once your installation is complete open your device console from vSphere

and power it on.



11. Select Config Network from the console menu. You will be asked if you want to configure your interface through DHCP.

If you are using a reserved address through DHCP select Yes. When you are asked to reconfigure the interface with DHCP select Yes.

If you have assigned a static IP address to the device select No. You will then have to enter the IP address, network mask, and default gateway information for the device. Select Ok when you have entered the correct information. You will then be prompted to reconfigure the administration interface with these settings.

IMPORTANT! It is highly recommended that the Sourcefire FireAMP administration interface be placed on a separate, secure network that is not publicly accessible.

12. Open a browser and navigate to the IP address displayed on the device console that you set in the previous step. If you have assigned a DNS name to that interface, you can also navigate to it using that name.

13. You will be prompted to enter a password to login. Enter the temporary password displayed in the device console and click the Login button.



14. You will then be prompted to change the password for the Administration Portal. Enter your new password then click Change Password.

15. Read and accept the end-user license agreement to continue with the configuration.

16. Next you can choose whether to perform a new installation of FireAMP Private Cloud or restore your device from backup. Choose Clean Installation by clicking the Start button below it.

If you are restoring the device select the location of the backup file you want to use. Select Local, Remote, or Upload depending on where your backup file is located, then provide the location. Click Start once you have provided the backup file.

17. Select whether to install your Private Cloud device in cloud proxy or air gap mode. If the Private Cloud device will not have a connection to the Internet and you want to manually download and install updates choose air gap mode.

WARNING! To switch between air gap and cloud proxy modes after installation is complete you will have to backup, reinstall, and restore your Private Cloud device.

18. You will then be prompted to choose between a Demo or Production installation type. Click on the Next button below Production to proceed.



19. On the License page, upload the license file you received for your device and enter the accompanying passphrase. Click Next to continue.

20. On the FireAMP Console Account page you must enter information for the first user account on your FireAMP Console. The Business Name is populated from your license file. This will be the account used to log into the FireAMP Console once the Sourcefire FireAMP Deployment Strategy installation is complete.



21. On the Storage page specify the amount of disk space to allocate for event storage. Use the sliders to specify how many Connectors you plan on installing and the number of Days of History you want to keep for them. The number of Connectors is prepopulated from your license file.

IMPORTANT! The Days of History you keep will directly affect Events, Indications of Compromise, Threat Root Cause, and Device and File Trajectory. Not keeping enough history will limit the usefulness of these tools.

If you meet the disk space requirements for the Connectors and Days of History click Next. Otherwise you will have to ignore the recommendations, modify your backup schedule to keep fewer backups, or grow your storage containers to add more disk space. See the online help for information on growing storage containers.

WARNING! Ignoring storage recommendations can cause your device to run out of disk space.

22. Configure your network interface by selecting whether to use DHCP or Static addresses. If you select Static you will have to enter the IP address, subnet mask, gateway, and DNS servers in the appropriate fields.

Next enter the DNS names you have assigned to the Cloud Server and FireAMP Console. It is recommended that you leave the Validate DNS Name boxes checked so the device can make sure the addresses can be resolved.

WARNING! You should never configure your device to use DHCP unless you have created MAC address reservations for the interfaces. If the IP addresses of your interfaces change this can cause serious problems with your deployed FireAMP Connectors.

If you want to connect a Defense Center you can enter its hostname. See the FireAMP Private Cloud User Guide for more details on setting up a Defense Center connection.


http://immunet-janus-helpdoc.s3.amazonaws.com/FireAMPPrivateCloudUserGuide.pdf


23. (Cloud proxy mode only) On the Cloud Server page you can select the upstream server for your device to communicate with. You can choose North America, Europe, or a custom upstream server. The custom upstream server must be another Private Cloud device. Next choose whether you want your device to use TCP 443 or 32137 to communicate with the upstream server. If you choose TCP 443 you can also select whether the device validates SSL certificates or not.

(Air gap mode only) Download the amp-sync tool and copy it to an Internet-connected computer. This script allows you to download updates and build an ISO file that can be transferred to your Private Cloud device. For detailed instructions on running amp-sync see the FireAMP Private Cloud User Guide.

24. Enter the email addresses you want to receive alert notifications for the Sourcefire FireAMP device. You can use email aliases or specify multiple addresses using a comma separated list. These notifications are not the same as FireAMP Console subscriptions. Select the frequency for critical and regular notifications. Click Next.

25. Enter the addresses of one or more NTP servers you want to use for time synchronization. You can use internal or external NTP servers and specify more than one using a comma or space delimited list. Synchronize the time with your browser or run amp-ctl ntpdate from the device console to force an immediate time synchronization with your NTP servers.

26. You must download and verify a backup of your configuration before proceeding with the install. Click the Download button to save the backup to your local computer. Once the file has been downloaded, click Choose File to upload the backup file and verify that it is not corrupt. Click Next to verify the file and proceed.

27. Review your Sourcefire FireAMP settings before beginning the installation. If you edit any settings you will have to download a new backup file with the new settings and verify it. Once you are satisfied with your configuration settings click Start Installation.

28. When the installation has completed you will receive a message to reboot the Sourcefire FireAMP device. Click the Reboot button. When the device has finished rebooting you will be taken to the Sourcefire FireAMP Administration Portal landing page.


http://immunet-janus-helpdoc.s3.amazonaws.com/FireAMPPrivateCloudUserGuide.pdf


Now that the configuration and installation of the device is complete you can launch the FireAMP Console from the Administration Portal. Use the account you created in step 20 to log into the FireAMP Console.


Deployment Strategy

CHAPTER 2PLANNING

This document will guide you through best practices to deploy FireAMP for the first time. Following this strategy will increase your chances of a successful FireAMP deployment and evaluation.

Before deployment you should gather as much information as possible about the environment to reduce post-install troubleshooting. To have an effective roll out of the FireAMP Connector for Windows, you must first identify your environment. To do that you must answer the following questions:

• How many computers is the FireAMP Connector for Windows being installed on?

• Which operating systems are the computers running?

• What are the hardware specifications for the computers?

• Do the operating systems and specifications meet the minimum requirements for the FireAMP Connector for Windows?

• Which applications are installed on the computers?

• Which custom applications or not widely deployed applications are installed on the computers?

• Do the computers connect to the Internet through a proxy?

• Will the FireAMP Connector be deployed on any Windows servers?

• What tool is being used to push software out to the endpoints?

• What security products (AV, HIDS, etc.) are installed on the computers?

• Do you want your users to see the FireAMP Connector user interface, desktop icon, program group and/or right-click menu?


PlanningSystem requirements and supported operating systems Chapter 1

Once you identify the environment you’re working with then you can apply your first best practice of identifying candidates for an Alpha release. The best way to choose your candidates for Alpha is to choose a combination of three computers per operating system, three computers per custom application, three computers per proxy server, one computer per security product, and one computer per department. Your Alpha release should probably contain a cross-section of approximately 100 computers.

System requirements and supported operating systemsThe following are the minimum system requirements for the FireAMP Connector based on the operating system. Operating systems not listed here are not currently supported. The FireAMP Connector supports both 32-bit and 64-bit versions of these operating systems.

Microsoft Windows XP with Service Pack 3 or later

• 500 MHz or faster processor

• 256 MB RAM

• 150 MB available hard disk space - Cloud-only mode

• 1GB available hard disk space - TETRA

Microsoft Windows Vista

• 1 GHz or faster processor

• 512 MB RAM



Microsoft Windows 7


• 1 GB RAM



Microsoft Windows 8 (requires FireAMP Connector 3.1.4 or later)


• 512 MB RAM



Microsoft Windows Server 2003


• 512 MB RAM



PlanningIncompatible software and configurations Chapter 1


Microsoft Windows Server 2008


• 2 GB RAM

• 150 MB available hard disk space – Cloud only mode

• 1GB available hard disk space – TETRA

Incompatible software and configurationsThe FireAMP Connector is currently not compatible with the following software:

• ZoneAlarm by Check Point

• Carbon Black

• Res Software AppGuard

The FireAMP Connector does not currently support the following proxy configurations:

• Websense NTLM credential caching. The currently supported workaround for FireAMP is either to disable NTLM credential caching in Websense or allow the FireAMP Connector to bypass proxy authentication through the use of authentication exceptions.

• HTTPS content inspection. The currently supported workaround is either to disable HTTPS content inspection or set up exclusions for the FireAMP Connector.

• Kerberos / GSSAPI authentication. The currently supported workaround is to use either Basic or NTLM authentication.

Gather information about endpoint securityConflicts can arise when multiple security applications are running on a single computer. To prevent conflicts between applications you will need to create exclusions for FireAMP in other security apps and exclude the security apps from FireAMP

First, find out how many security applications are installed. Do different groups in the organization use different products? Find out the install, update, data, and quarantine path for each security product installed and make a note of it.

Next, decide on the install path for the FireAMP Connector. By default this is C:\Program Files\Sourcefire. You will need to exclude the FireAMP Connector directory from the other security applications, particularly antivirus products.


http://www.websense.com/content/support/library/web/v75/wcg_help/ntlm.aspx

PlanningCreate exclusions for FireAMP in other security products Chapter 1

Create exclusions for FireAMP in other security products

Creating Exclusions in McAfee Products

ePolicy Orchestrator 4.6

1. Log in to ePolicy Orchestrator.

2. Select Policy > Policy Catalog from the Menu.

3. Select the appropriate version of VirusScan Enterprise from the Product pulldown.

4. Edit your On-Access High-Risk Processes Policies.

5. Select the Exclusions tab click the Add button.

6. In the By Pattern field enter the path to your FireAMP Connector install (C:\Program Files\Sourcefire by default) and check the Also exclude subfolders box.

7. Click OK.

8. Click Save.

9. Edit your On-Access Low-Risk Processes Policies.

10. Repeat steps 5 through 8 for this policy.

VirusScan Enterprise 8.8

1. Open the VirusScan Console.

2. Select On-Access Scanner Properties from the Task menu.

3. Select All Processes from the left pane.

4. Select the Exclusions tab.

5. Click the Exclusions button.

6. On the Set Exclusions dialog click the Add button.

7. Click the Browse button and select your FireAMP Connector install directory (C:\Program Files\Sourcefire by default) and check the Also exclude subfolders box.

8. Click OK.

9. Click OK on the Set Exclusions dialog.

10. Click OK on the On-Access Scanner Properties dialog.


PlanningCreate exclusions for FireAMP in other security products Chapter 1

Creating Exclusions in Symantec Products

Managed Symantec Enterprise Protection 12.1

1. Log into Symantec Endpoint Protection Manager.

2. Click Policies in the left pane.

3. Select the Exceptions entry under the Policies list.

4. You can either add a new Exceptions Policy or edit an existing one.

5. Click Exceptions once you have opened the policy.

6. Click the Add button, select Windows Exceptions from the list and choose Folder from the submenu.

7. In the Add Security Risk Folder Exception dialog choose [PROGRAM_FILES] from the Prefix variable dropdown menu and enter Sourcefire in the Folder field. Ensure that Include subfolders is checked.

8. Under Specify the type of scan that excludes this folder menu select All.

9. Click OK.

10. Make sure that this Exception is used by all computers in your organization with the FireAMP Connector installed.

Unmanaged Symantec Enterprise Protection 12.1

1. Open SEP and click on Change Settings in the left pane.

2. Click Configure Settings next to the Exceptions entry.

3. Click the Add button on the Exceptions dialog.

4. Select Folders from the Security Risk Exception submenu.

5. Select your FireAMP Connector installation folder (C:\Program Files\Sourcefire\FireAMP by default) from the dialog and click OK.

6. Click the Add button on the Exceptions dialog.

7. Select Folder from the SONAR Exception submenu.

8. Select your FireAMP Connector installation folder (C:\Program Files\Sourcefire\FireAMP by default) from the dialog and click OK.

9. Click the Close button.

Creating Exclusions in Microsoft Security Essentials1. Open Microsoft Security Essentials and click on the Settings tab.

2. Select Excluded files and locations in the left pane.


PlanningGather information about custom apps Chapter 1

3. Click the Browse button and navigate to your FireAMP Connector installation folder (C:\Program Files\Sourcefire\FireAMP by default) and click OK.

4. Click the Add button then click Save changes.

5. Select Excluded processes in the left pane.

6. Click the Browse button and navigate to the sfc.exe or agent.exe file (C:\Program Files\Sourcefire\FireAMP\x.x.x\sfc.exe by default where x.x.x is the FireAMP Connector version number) and click OK.

7. Click the Add button then click Save changes.

IMPORTANT! Because the process exclusions in Microsoft Security Essentials require a specific path to the sfc.exe file you will need to update this exclusion whenever you upgrade to a new version of the FireAMP Connector.

Gather information about custom appsCustom applications can present a problem for initial deployment. Most widely-used applications have already been marked as clean files in the FireAMP Cloud and tested with the FireAMP Connector. Custom applications are less likely to have this benefit, so extra precautions need to be taken with them. Find out if there are any custom or legacy applications running and the install path for each one and make a note of it. If only certain groups of users have the application installed, note which users they are. If the custom application has separate information stores, note the file path of those as well.

If possible, use a program like md5deep to calculate the SHA-256 value of the custom application’s executable files.

Gather information about proxy serversIf the computers in the organization use a proxy server to connect to the Internet you will need to gather some information about it including:

• Proxy host name

• Proxy port

• Type of proxy

• User name and password for authentication (if required)

• PAC file URL if they are used

• Whether the proxy server is used for DNS resolution

• If the proxy server will allow communications via TCP port 32137


http://md5deep.sourceforge.net/

PlanningCheck firewall rules Chapter 1

Check firewall rulesTo allow your FireAMP Connectors to communicate with your Private Cloud device, you will need to allow access through any firewalls between the Connectors and the Cloud Proxy interface of the Private Cloud device. Refer to your FireAMP Private Cloud device configuration for the host name and port used for the Cloud Server and FireAMP interface.

•

• Endpoint IOC downloads - https://endpoint-ioc-prod-us.s3.amazonaws.com

•

• Endpoint IOC Downloads - https://endpoint-ioc-prod-eu.s3.amazonaws.com

Selecting computers for evaluation deploymentInstead of installing the FireAMP Connector on a single computer, select a representative cross section of different users. If different operating systems and application sets are in use, try to deploy on at least one of each image type.


Deployment Strategy

CHAPTER 3PORTAL CONFIGURATION

Before deploying FireAMP Connectors there are tasks to complete in the FireAMP portal based on the information you gathered.

Create exclusionsTo prevent conflicts between the FireAMP Connector and antivirus or other security software, you must create exclusions so that the Connector doesn’t scan your antivirus directory and your antivirus doesn’t scan the Connector directory. This can create problems if antivirus signatures contain strings that the Connector sees as malicious or cause issues with quarantined files.

The first step is to create an exclusion by navigating to Management > Exclusions in the FireAMP console.


Portal ConfigurationCreate exclusions Chapter 2

Click on Create Exclusion Set to create a new list of exclusions. Enter a name for the list - for example, Desktop Exclusions - and click Create.

Next click Add Exclusion to add an exclusion to your list.

You will then be prompted to enter a path for the exclusion. Enter the CSIDL of the security products you have installed on your endpoints then click Create.

Repeat this procedure for each path associated with your security applications. More information about CSIDLs can be found here. Common CSIDLs are:

Symantec Endpoint Protection:

• CSIDL_COMMON_APPDATA\Symantec

• CSIDL_PROGRAM_FILES\Symantec\Symantec End Point Protection

• CSIDL_PROGRAM_FILESx86\Symantec\Symantec Endpoint Protection

• CSIDL_COMMON_APPDATA\Symantec

McAfee VirusScan Enterprise:

• CSIDL_COMMON_APPDATA\VSE

• CSIDL_PROGRAM_FILES\VSE


http://msdn.microsoft.com/en-us/library/windows/desktop/bb762494(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/bb762494(v=vs.85).aspx

Portal ConfigurationCreate outbreak control lists Chapter 2

Trend Micro

• CSIDL_PROGRAM_FILES\Trend Micro

• CSIDL_PROGRAM_FILESX86\Trend Micro

Microsoft ForeFront

• CSIDL_PROGRAM_FILES\Microsoft Forefront

• CSIDL_PROGRAM_FILESX86\Microsoft Forefont

Microsoft Security Client

• CSIDL_PROGRAM_FILES\Microsoft Security Client

• CSIDL_PROGRAM_FILESX86\Microsoft Security Client

Sophos

• CSIDL_PROGRAM_FILES\Sophos

• CSIDL_PROGRAM_FILESX86\Sophos

Splunk:

• CSIDL_PROGRAM_FILES\Splunk

IMPORTANT! CSIDLs are case sensitive.

Next create an exclusion set for your servers and another one for your Active Directory domain controllers. Make sure to exclude any security products as you did in your desktop exclusions above and also create exclusions based on your server roles (Active Directory, file server, DHCP, etc.) and installed software (Exchange, SQL, IIS, etc.). Microsoft has compiled a list of links to exclusions for their server products at http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx.

Create outbreak control listsDuring the early stages of deployment you may encounter previously unseen malware on computers as well as false-positive detection of custom applications. To make sure the FireAMP Connector deals with these properly, you will want to create a Simple Custom Detection list and a Custom Whitelist to associate with your policies.

To create a Simple Custom Detection list, go to Outbreak Control > Simple. Click Create to create a new Simple Custom Detection, name it Quick SCD (or a name that you prefer), and click on Save.

To create a Custom Whitelist, go to Outbreak Control > Whitelisting. Next click Create to create a new Custom Whitelist, name it Quick WL (or a name that you prefer), and click Save.


http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

Portal ConfigurationCreate policies Chapter 2

Create policiesFor initial deployment we recommend you go to Management > Groups and create the following policies with specific configurations:

Audit OnlyThis policy puts the FireAMP Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked.

• This policy uses all the default policy settings but with the File > Modes > File Conviction Mode set to Audit.

• The proxy server information gathered previously should be entered under General > Proxy Settings.

• Associate the exclusion set you previously created with this policy.

• Associate the Quick SCD list you created with this policy.

• Associate the Quick WL list you created with this policy.

ProtectThis is the standard policy for the FireAMP Connector that will quarantine malicious files and block malicious network connections. Once you have become familiar with the way the FireAMP Connector behaves you can tweak this policy to your own preferences.

• This policy uses all the default policy settings.





TriageThis is an aggressive policy that enables the offline engine to scan computers that are suspected or known to be infected with malware.

• This policy uses all the default policy settings but with the File > Engines > Offline Engine set to TETRA and with Network > Device Flow Correlation (DFC) > Detection Action set to Block.






Portal ConfigurationCreate policies Chapter 2

ServerThis is a lightweight policy for high availability computers and servers that require maximum performance and uptime.


• If your servers are running Windows 2008 you must make sure that File > Engines > Offline Engine is set to Disabled.

WARNING! When installing the FireAMP Connector on a server you must also use the /skiptetra command line switch along with this policy setting.

• If your servers host services or applications that require a large number of network connections (SMB, SQL, Exchange, etc.) it is recommended that Network > Device Flow Correlation (DFC) > Enable DFC be unchecked.

WARNING! When installing the FireAMP Connector on a server you must also use the /skipdfc command line switch along with this policy setting.


• Associate the server exclusion set you previously created with this policy.



Domain ControllerThis is a lightweight policy for use on Active Directory Domain Controllers.


• Because of authentication traffic from your network it is recommended that Network > Device Flow Correlation (DFC) > Enable DFC be unchecked.

WARNING! When installing the FireAMP Connector on a domain controller you must also use the /skipdfc command line switch along with this policy setting.


Portal ConfigurationCreate groups Chapter 2

• If your servers are running Windows 2008 you must make sure that File > Engines > Offline Engine is set to Disabled.

WARNING! When installing the FireAMP Connector on a domain controller you must also use the /skiptetra command line switch along with this policy setting.


• Associate the domain controller exclusion set you previously created with this policy.



IMPORTANT! If you have computers in multiple geographic locations using different proxy servers you will need to create the above policies for each location ie. Audit Only NYC and Audit Only London.

Create groupsNow that you have created the initial policies for your deployment you need to create groups to associate the policies with. Go to Management -> Groups and create the following groups:

Audit Only• Associate this group with the Audit Only policy.

• This should be the first group that the workstations in your deployment belong to so that you can root out any false positive detections without the files being quarantined.

• You can also use the Audit Only group as a performance group for computers that require higher availability or perform intensive tasks like rendering graphics.

Protect• Associate this group with the Protect policy.

• Once you are satisfied with the performance of the computers in your Audit Only group, you can move them to the Protect group for normal operation of the FireAMP Connector so that malicious files are quarantined and network threats are blocked.


Portal ConfigurationCreate whitelist from gold master Chapter 2

Triage• Associate this group with the Triage policy.

• Any computers with existing infections or computers you suspect of being heavily infected should be moved to the Triage group since this group has more aggressive malware scanning enabled.

Server• Associate this group with the Server policy.

• All of your servers other than Active Directory domain controllers should be in this group.

Domain Controller• Associate this group with the Domain Controller policy.

• All of your Active Directory domain controllers should be in this group.

IMPORTANT! If you created multiple policies for different geographic locations in the previous section, you will need to create multiple groups for each location as well ie. Protect NYC and Protect London.

Create whitelist from gold masterIf you have a gold master image available it is advisable to use it to whitelist applications. You can use a tool like md5deep to generate SHA-256 values for all the applications and add them to your Quick WL whitelist.

Download installerNow that you have created your policies and associated them with groups you can begin deploying the FireAMP Connector to the computers you identified in the information gathering stage. Go to Management > Deployment > Download and download a redistributable installer for the Audit Only, Triage, Servers, and Domain Controllers groups.

All of your average user computers should initially use the Audit Only installer. This will allow you to make sure that all of the necessary applications have been whitelisted and proper exclusions were created. Any detections will still trigger alerts in the FireAMP console but nothing will be quarantined or blocked. This ensures that in the case of a false positive detection that there are no disruptions in regular operations. If you see a false positive detection, add the application in question to your whitelist. Once you are satisfied with the performance of the FireAMP Connector you can move computers from the Audit Only group into the Protect group. The Protect group has the same policy settings as the Audit Only




Portal ConfigurationDownload installer Chapter 2

group, except that malicious files will be quarantined and connections to malicious websites will be blocked.

Only use the Domain Controllers installer on your Active Directory domain controller servers. The policy for this group includes exclusions that are specific to servers that run directory services for your tree.

Use the Servers installer on all your other servers, such as file, SQL, and Exchange servers.


Deployment Strategy

CHAPTER 4DEPLOYING THE FIREAMP CONNECTOR

Now you are ready to begin deploying the FireAMP Connector to your evaluation computers.

Command line switchesAdministrators who have their own deployment software can use command line switches to automate the deployment. Here is a list of available switches:

• /S - Used to put the installer into silent mode.

IMPORTANT! This must be specified as the first parameter.

• /desktopicon 0 - A desktop icon for the Connector will not be created.

• /desktopicon 1 - A desktop icon for the Connector will be created.

• /startmenu 0 - Start Menu shortcuts are not created.

• /startmenu 1 - Start Menu shortcuts are created.

• /contextmenu 0 - Disables Scan Now from the right-click context menu.

• /contextmenu 1 - Enables Scan Now in the right-click context menu.

• /remove 0 - Uninstalls the Connector but leaves files behind useful for reinstalling later.

• /remove 1 - Uninstalls the Connector and removes all associated files.


Deploying the FireAMP ConnectorCommand line switches Chapter 3

• /uninstallpassword [Connector Protection Password] – Allows you to uninstall the Connector when you have Connector Protection enabled in your policy. You must supply the Connector Protection password with this switch.

• /skipdfc 1 - Skip installation of the DFC driver.

WARNING! Any Connectors installed using this flag must be in a group with a policy that has Network > Device Flow Correlation (DFC) > Enable DFC unchecked.

• /skiptetra 1 - Skip installation of the TETRA driver.

WARNING! Any Connectors installed using this flag must be in a group with a policy that has File > Engines > Offline Engine set to Disabled.

• /D=[PATH] - Used to specify which directory to perform the install. For example /D=C:\tmp will install into C:\tmp.

IMPORTANT! This must be specified as the last parameter.

Running the command line installer without specifying any switches is equivalent to /desktopicon 0 /startmenu 1 /contextmenu 1 /skipdfc 0 /skiptetra 0.

Installer exit codesAdministrators who use the command line switches to install the FireAMP Connector should be aware of the exit codes. They can be found in immpro_install.log in the %TEMP% folder.

• 0 – Success.

• 1500 – Installer already running.

• 1618 – Another installation is already in progress.

• 1633 – Unsupported platform (i.e. installing 32 on 64 and vice versa).

• 1638 – This version or newer version of product already exists.

• 1801 – invalid install path.

• 3010 – Success (Reboot required – will only be used on upgrade).

• 16001 – Your trial install has expired.

• 16002 – A reboot is pending on the user’s computer that must be completed before installing.

• 16003 – Unsupported operating system (i.e. XP SP2, Win2000).

• 16004 – invalid user permissions (not running as admin).


Deploying the FireAMP ConnectorDeployment Chapter 3

DeploymentThe FireAMP Connector can be deployed through email using the email deployment option under Management > Email in the FireAMP Console. You can also download the installer from Management > Download and make the file available on a file share, use login scripts to install it, or distribute it using enterprise software deployment tools.

Microsoft System Center Configuration ManagerTo install the FireAMP Connector using Microsoft System Center Configuration Manager (SCCM) you will first need to download the redistributable installer for each of your groups.

1. Go to Management > Download and select one of your groups, make sure to check the Create Redistributable Installer box, then click Download. The downloaded file will include the name of the group to make it easily identifiable, for example Protect-FireAMPSetup.exe.

2. Create a FireAMP folder in the shared source file directory on your SCCM server and copy the installer files to that folder.

3. Next, open your Configuration Manager Console and navigate to Software Library > Overview > Application Management > Applications and click Create Application.

4. On the first screen of the Create Application Wizard, select “Manually specify the application information” and click Next.



5. Enter identifying information for your application package. If you plan to deploy multiple group versions of the FireAMP Connector it is a good idea to use the group name to easily differentiate them in your software library. When you have entered the necessary information, click Next.



6. Enter the information available to your users in the Application Catalog. When you have entered the necessary information, click Next.

7. On the Deployment Types screen click the Add button to launch the Create Deployment Type wizard.

8. Select “Manually specify the deployment type information” and click Next.



9. Enter the application name and select languages then click Next.



10. Enter the path to the installer files you downloaded for each of your groups in the Content location field. Enter the name of your executable installer file along with any command line switches you want to use in the Installation program field. You can also specify the Uninstall program and path (C:\Program Files\Sourcefire\FireAMP\3.1.4\uninstall.exe by default). Click Next to continue.

11. Click Add Clause on the Detection Method screen.



12. Select File System as the Setting Type, then File as the Type. Enter the path to where you plan on installing the FireAMP Connector on your endpoints (C:\Program Files\Sourcefire\FireAMP\3.1.4 by default), then enter sfc.exe in the File or folder name field. Click OK, then click Next on the Detection Method page.



13. Select Install for system as the Installation behavior and Only when a user is logged on for the Logon requirement. Select the Installation program visibility setting you want, then check Allow users to view and interact with the program installation. Click Next.

14. You can choose to specify any installation requirements or simply click Next on the Requirements screen.

15. Click Next on the Dependencies screen.

16. Review your settings on the Summary screen and if you are satisfied click Next.

17. Once the wizard has completed successfully click Close to return to the Create Application Wizard. Click Next.

18. Review your settings on the Summary screen and if you are satisfied click Next.

19. Once the wizard has completed successfully click Close.

Your application will now be listed in the Software Library. Deploy the content to your Deployment Point and select whether to deploy it to Users and Groups or Devices.


Deployment Strategy

CHAPTER 5TROUBLESHOOTING

This section describes some issues that may arise after the FireAMP Connector is installed and remediation steps.

Initial Configuration FailureUnder rare circumstances the initial configuration of your FireAMP Private Cloud device may fail. If this occurs you will need to delete the Private Cloud device from your virtual machine console and import the OVA again. If the initial configuration fails again contact Support.

PerformanceFireAMP uses a filter driver to identify file copies, moves, and executes. This may cause additional file latency in some applications that have high I/O such as databases. To reduce latency you may need to determine what should be excluded from FireAMP:

1. Identify where the application files exist.

2. Determine where the data files are being used.

3. Exclude both of those locations.

4. If there are still issues with the given application, turn on debug logging in the policy for the FireAMP Connector.

5. Use the logs to determine any temporary files being used.


https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case

TroubleshootingOutlook performance Chapter 4

Another helpful tip is that if you download the latest version of sqlite3 (http://www.sqlite.org/download.html), you can use that to query the history and see files that are continuously being written to, for example:

sqlite3.exe "C:\Program Files\Sourcefire\fireAMP\history.db"

SQLite version 3.7.16.2 2013-04-12 11:52:43

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

sqlite> .headers on

sqlite> select filename, count(filename) from history group by filename order by

count(filename) desc limit 10;

filename|count(filename)

\\?\C:\WINDOWS\Tasks\User_Feed_Synchronization-{A1489466-0BD4-42D2-A8B6-864FEA527577}.job|1706

\\?\C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms|341

\\?\C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1229272821-725345543-500UA.job|222

...

The above data identifies some exclusions that may be worth implementing:

FilePath: CSIDL_WINDOWS\Tasks

FileExtension: *.feed-ms

Outlook performanceIf you notice slow performance in Outlook with the FireAMP Connector installed, this may be from the high I/O on the .pst or .ost file. In this case, it is best to create an exclusion for all .pst and .ost files in the FireAMP Console. Go to Management > Exclusions and click Edit for the exclusion set you want. Click Add Exclusion and select File Extension from the Exclusion type drop down menu. Enter .pst in the field and click Create. Repeat this for the .ost file extension if you use Outlook with an Exchange server.

Copy, move, or execute events not in Device TrajectoryThe copy, move, and execute events come up to the Connector through the Immunet Protect driver. Then the Connector passes this information off to the cloud servers to decide whether a file is malicious. Then the cloud server will load


TroubleshootingNetwork events not in Device Trajectory Chapter 4

it into a database that Device Trajectory reads from. Therefore to troubleshoot what is going on:

1. Check if the driver is installed properly. If you run fltmc instances from the command line as an administrator, it will list the drivers installed and which drives it’s bound with. What you want to see is the ImmunetProtectDriver bound to all of the local hard drives (ie. C:\, E:\, etc.).

2. Check to see if the policy has Monitor File Copies and Moves and Monitor Process Execution enabled under File > Modes. Without these enabled, we will not monitor these file operations.

3. Check to see if you can connect to the cloud.

4. In your policy, set General > Administrative Features > Connector Log Level to Debug to make sure that you are getting disp=1 or disp=3 in your logs. A disp=4 means it failed to look up the file to the cloud. That could be an unsupported file type or other reason.

5. If you’re connected to the cloud and seeing the dispositions of 1 or 3 coming back from the cloud, then take a support diagnostic and attach it along with your external IP address to a support case.

Network events not in Device TrajectoryThe network information is picked up by the DFC driver and sent to the FireAMP Connector. The Connector passes this information off to the cloud server to see whether or not that connection is malicious. In order to troubleshoot what is going on:

1. Check to see if the policy has “Enable DFC” on

2. Enable the “Connector Log Level” of Debug if you can see events that list the IP and port information.

IMPORTANT! FireAMP only monitors the first 100 connections after process execution. Therefore you need to make sure that you execute a new process after you start the FireAMP Connector. Internet Explorer will re-use processes for each new tab whereas Chrome will start a new process upon tab creation.

Policy not updatingWhen a Connector fails to receive policy updates the most common causes are network connectivity or proxy configuration. If the proxy settings in the policy were mis-configured then most often you will have to uninstall the FireAMP Connector, reboot the computer, fix the proxy settings in the policy, download the FireAMP Connector installer again, then reinstall it. However, if you already have



TroubleshootingSimple Custom Detections Chapter 4

one computer installed in a group (you can move a computer into that group just for this purpose), then you can:

1. Go to Management > Policies.

2. Find the policy you’re looking for and click on it (DO NOT click Edit) so that you see the preview on the right hand side and click the Download Policy XML File button. Once the XML file has been downloaded:

• Stop the FireAMP Connector by running net stop immunetprotect from a command prompt as an administrator.

• In the install folder (C:\Program Files\Sourcefire\FireAMP\”), rename the existing policy.xml to policy.xml.bak

• Copy the policy.xml that you downloaded to that folder and rename it policy.xml

• Start the FireAMP Connector by running net start immunetprotect from a command prompt as an administrator.

• Open the policy.xml in the file you downloaded and note the serial number.

• Change something on the policy in the portal then click Sync Policy in the FireAMP Connector Settings screen. Wait approximately 2 minutes then check to see if the serial number has changed.

Simple Custom DetectionsSimple Custom Detections allow you to manually blacklist files for detection. If File > Modes> File Conviction Mode is set to Audit, you’ll just be notified of the detection but if it’s set to Quarantine, the file will be quarantined. The most common issue is that you found a file, you copied it on your machine, you add it to a Simple Custom Detection, and then you can’t understand why it’s not being detected. There could be a few reasons:

1. The file is being excluded. Compare the path you’re running from with the path in your exclusions listed in the policy.xml. Don’t forget to look at file extension exclusions as well.

2. The file is in a signed Microsoft or Verisign Class 3 certificate. Right-click on the file and look at the properties. Check to see if there is a Digital Signature associated with it and who the issuer is. If it is Verisign and you’re sure it’s malware, upload it to Virus Total and then contact Support.

3. The file is not associated with the correct policy. Make sure the SHA-256 for the file is in the correct Simple Custom Detection list. Make sure that Simple Custom Detection list is associated with the policy that the Connector is using.



TroubleshootingCustom Whitelists Chapter 4

4. The file has been cached. This is by far the most common issue. When you copied it onto your computer, you created a record for it in your cache.db. To remove this:


• Go to the install directory (C:\Program Files\Sourcefire\FireAMP) and remove the cache.* files.


• Now re-copy the file in question and make sure it is detected.

Custom WhitelistsThe Custom Whitelist allows you to whitelist a file to avoid detection. This can be done as part of collecting all files from a “Golden Image” or in the case of a false positive. The most common issue here is caching because you had it previously on your computer and need to clear your cache.db:

1. Stop the FireAMP Connector by running net stop immunetprotect from a command prompt as an administrator.

2. Go to the install directory (C:\Program Files\Sourcefire\FireAMP) and remove the cache.* files.

3. Start the FireAMP Connector by running net start immunetprotect from a command prompt as an administrator.

4. Now re-copy the file you created and make sure it’s not detected.

Another possible issue is that the Custom Whitelist is not associated with the correct policy or that the file SHA-256 is not on that list.

Application BlockingApplication Blocking allows you stop a file from executing without quarantining the file. If you add a SHA-256 to an Application Blocking list and it still executes, there could be a few reasons why this may occur:

1. The file is being excluded. Compare the path you’re running from with the path in your exclusions listed in the policy.xml. Don’t forget to look at file extension exclusions as well.

2. The file is not associated with the correct policy. Make sure the SHA-256 for the file is in the correct Simple Custom Detection list. Make sure that Simple Custom Detection list is associated with the policy that the Connector is using.


TroubleshootingContacting Support Chapter 4

3. The file has been cached. This is by far the most common issue. When you copied it onto your computer, you created a record for it in your cache.db. To remove this:


• Go to the install directory (C:\Program Files\Sourcefire\FireAMP) and remove the cache.* files.


• Now re-copy the file in question and make sure it does not execute.

Contacting SupportIf you have not had success with other troubleshooting measures, you may need to contact Support to resolve your issue. In order to speed up turnaround time for your support case it is helpful to provide some information when opening the case.

1. Go to Management > Policies and edit the policy the FireAMP Connector you’re troubleshooting is in.

2. Under General > Administrative Features set Connector Log Level to Debug.

3. On the FireAMP Connector go to Settings and click Sync Policy.

If you installed the Connector using the command line switch to disable the Start Menu items you can force a policy sync by opening a command prompt and entering:

%PROGRAMFILES%\Sourcefire\FireAMP\x.x.x\iptray.exe -f

Where x.x.x is the FireAMP Connector version number.

4. After the policy has synced allow the Connector to run for 5-10 minutes or perform the specific actions that are causing errors.

5. Open the Windows Start Menu and go to FireAMP Connector and click Support Diagnostic Tool. This will create a file on your desktop named Sourcefire_Support_Tool_2013_XX_XX_XX_XX_XX.7z where XX will represent the month, day, and time you ran the tool.

If you installed the Connector using the command line switch to disable the Start Menu items you can run the Support Diagnostic tool by opening a command prompt and entering:

%PROGRAMFILES%\Sourcefire\FireAMP\x.x.x\ipsupporttool.exe

Where x.x.x is the FireAMP Connector version number.

6. If you are having connectivity issues with the FireAMP Connector, take a PCAP of any network activity.



TroubleshootingContacting Support Chapter 4

7. Upload the diagnostic file and PCAP to the Sourcefire SSL server at https://uploads.sourcefire.com/uploads/ed14f406d34f0fbd7c1af84fe024bd1d and make sure to note the filenames when contacting support.

8. If the issue is a user interface bug or a problem with the FireAMP Console, take a screenshot of the problem and attach it to the email you send.

9. Contact Support with all relevant information to the issue, the filenames of any files you uploaded, and attach your screenshots if required. Also make sure to include information on the type of proxy and firewall you are using in the case of connectivity issues.



APPENDIX ASUBSCRIPTION AGREEMENT

End User License Agreement

FireAMP Product

IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY.

IT IS VERY IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR EQUIPMENT FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU REPRESENT (COLLECTIVELY, THE “CUSTOMER”) HAVE BEEN REGISTERED AS THE END USER FOR THE PURPOSES OF THIS CISCO END USER LICENSE AGREEMENT. IF YOU ARE NOT REGISTERED AS THE END USER YOU HAVE NO LICENSE TO USE THE SOFTWARE AND THE LIMITED WARRANTY IN THIS END USER LICENSE AGREEMENT DOES NOT APPLY. ASSUMING YOU HAVE PURCHASED FROM AN APPROVED SOURCE, DOWNLOADING, INSTALLING OR USING CISCO OR CISCO-SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT.

CISCO SYSTEMS, INC. OR ITS SUBSIDIARY LICENSING THE SOFTWARE INSTEAD OF CISCO SYSTEMS, INC. (“CISCO”) IS WILLING TO LICENSE THIS SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU PURCHASED THE SOFTWARE FROM AN APPROVED SOURCE AND THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS END USER LICENSE AGREEMENT PLUS ANY ADDITIONAL LIMITATIONS ON THE LICENSE SET FORTH IN A SUPPLEMENTAL LICENSE AGREEMENT ACCOMPANYING THE PRODUCT OR AVAILABLE AT THE TIME OF YOUR ORDER (COLLECTIVELY THE “AGREEMENT”). TO THE EXTENT OF ANY CONFLICT BETWEEN THE TERMS OF THIS END USER LICENSE AGREEMENT AND ANY SUPPLEMENTAL LICENSE AGREEMENT, THE SUPPLEMENTAL LICENSE AGREEMENT SHALL


Subscription AgreementAppendix A

APPLY. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE, YOU ARE REPRESENTING THAT YOU PURCHASED THE SOFTWARE FROM AN APPROVED SOURCE AND BINDING YOURSELF TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM AN APPROVED SOURCE, AND APPLIES ONLY IF YOU ARE THE ORIGINAL AND REGISTERED END USER PURCHASER. FOR THE PURPOSES OF THIS END USER LICENSE AGREEMENT, AN "APPROVED SOURCE" MEANS (A) CISCO; OR (B) A DISTRIBUTOR OR SYSTEMS INTEGRATOR AUTHORIZED BY CISCO TO DISTRIBUTE / SELL CISCO EQUIPMENT, SOFTWARE AND SERVICES WITHIN YOUR TERRITORY TO END USERS; OR (C) A RESELLER AUTHORIZED BY ANY SUCH DISTRIBUTOR OR SYSTEMS INTEGRATOR IN ACCORDANCE WITH THE TERMS OF THE DISTRIBUTOR'S AGREEMENT WITH CISCO TO DISTRIBUTE / SELL THE CISCO EQUIPMENT, SOFTWARE AND SERVICES WITHIN YOUR TERRITORY TO END USERS.

THE FOLLOWING TERMS OF THE AGREEMENT GOVERN CUSTOMER'S USE OF THE SOFTWARE (DEFINED BELOW), EXCEPT TO THE EXTENT: (A) THERE IS A SEPARATE SIGNED CONTRACT BETWEEN CUSTOMER AND CISCO GOVERNING CUSTOMER'S USE OF THE SOFTWARE, OR (B) THE SOFTWARE INCLUDES A SEPARATE “CLICK-ACCEPT” LICENSE AGREEMENT OR THIRD PARTY LICENSE AGREEMENT AS PART OF THE INSTALLATION OR DOWNLOAD PROCESS GOVERNING CUSTOMER'S USE OF THE SOFTWARE. TO THE EXTENT OF A CONFLICT BETWEEN THE PROVISIONS OF THE FOREGOING DOCUMENTS, THE ORDER OF PRECEDENCE SHALL BE (1) THE SIGNED CONTRACT, (2) THE CLICK-ACCEPT AGREEMENT OR THIRD PARTY LICENSE AGREEMENT, AND (3) THE AGREEMENT. FOR PURPOSES OF THE AGREEMENT, “SOFTWARE” SHALL MEAN COMPUTER PROGRAMS, INCLUDING FIRMWARE AND COMPUTER PROGRAMS EMBEDDED IN CISCO EQUIPMENT, AS PROVIDED TO CUSTOMER BY AN APPROVED SOURCE, AND ANY UPGRADES, UPDATES, BUG FIXES OR MODIFIED VERSIONS THERETO (COLLECTIVELY, “UPGRADES”), ANY OF THE SAME WHICH HAS BEEN RELICENSED UNDER THE CISCO SOFTWARE TRANSFER AND RE-LICENSING POLICY (AS MAY BE AMENDED BY CISCO FROM TIME TO TIME) OR BACKUP COPIES OF ANY OF THE FOREGOING.

License.

Conditioned upon compliance with the terms and conditions of the Agreement, Cisco grants to Customer a nonexclusive and nontransferable license to use for Customer's internal business purposes the Software and the Documentation for which Customer has paid the required license fees to an Approved Source. “Documentation” means written information (whether contained in user or



technical manuals, training materials, specifications or otherwise) pertaining to the Software and made available by an Approved Source with the Software in any manner (including on CD-Rom, or on-line). In order to use the Software, Customer may be required to input a registration number or product authorization key and register Customer's copy of the Software online at Cisco's website to obtain the necessary license key or license file. Customer's license to use the Software shall be limited to, and Customer shall not use the Software in excess of, a single hardware chassis or card or such other limitations as are set forth in the applicable Supplemental License Agreement or in the applicable purchase order which has been accepted by an Approved Source and for which Customer has paid to an Approved Source the required license fee (the “Purchase Order”). Unless otherwise expressly provided in the Documentation or any applicable Supplemental License Agreement, Customer shall use the Software solely as embedded in, for execution on, or (where the applicable Documentation permits installation on non-Cisco equipment) for communication with Cisco equipment owned or leased by Customer and used for Customer's internal business purposes. No other licenses are granted by implication, estoppel or otherwise.

For evaluation or beta copies for which Cisco does not charge a license fee, the above requirement to pay license fees does not apply.

General Limitations.

This is a license, not a transfer of title, to the Software and Documentation, and Cisco retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of Cisco or its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Except as otherwise expressly provided under the Agreement, Customer shall only use the Software in connection with the use of Cisco equipment purchased by the Customer from an Approved Source and Customer shall have no right, and Customer specifically agrees not to:

(i) transfer, assign or sublicense its license rights to any other person or entity (other than in compliance with any Cisco relicensing/transfer policy then in force), or use the Software on Cisco equipment not purchased by the Customer from an Approved Source or on secondhand Cisco equipment, and Customer acknowledges that any attempted transfer, assignment, sublicense or use shall be void;

(ii) make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do the same;

(iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction or except to the extent that Cisco is legally required to permit such specific activity pursuant to any applicable open source license;

(iv) publish any results of benchmark tests run on the Software;



(v) use or permit the Software to be used to perform services for third parties, whether on a service bureau or time sharing basis or otherwise, without the express written authorization of Cisco; or

(vi) disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of Cisco. Customer shall implement reasonable security measures to protect such trade secrets. To the extent required by applicable law, and at Customer's written request, Cisco shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of Cisco's applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Cisco makes such information available.

Software, Upgrades and Additional Copies.

NOTWITHSTANDING ANY OTHER PROVISION OF THE AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT TO MAKE OR USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF MAKING OR ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE TO AN APPROVED SOURCE FOR THE UPGRADE OR ADDITIONAL COPIES; (2) USE OF UPGRADES IS LIMITED TO CISCO EQUIPMENT SUPPLIED BY AN APPROVED SOURCE FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LESSEE OR OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND (3) THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.

Proprietary Notices.

Customer agrees to maintain and reproduce all copyright, proprietary, and other notices on all copies, in any form, of the Software in the same form and manner that such copyright and other proprietary notices are included on the Software. Except as expressly authorized in the Agreement, Customer shall not make any copies or duplicates of any Software without the prior written permission of Cisco. Term and Termination. The Agreement and the license granted herein shall remain effective until terminated. Customer may terminate the Agreement and the license at any time by destroying all copies of Software and any Documentation. Customer's rights under the Agreement will terminate immediately without notice from Cisco if Customer fails to comply with any provision of the Agreement. Upon termination, Customer shall destroy all copies of Software and Documentation in its possession or control. All confidentiality obligations of Customer, all restrictions and limitations imposed on the Customer under the section titled “General Limitations” and all limitations of liability and disclaimers and restrictions of warranty shall survive termination of this Agreement. In addition, the provisions of the sections titled “U.S. Government End User Purchasers” and “General Terms Applicable to the



Limited Warranty Statement and End User License Agreement” shall survive termination of the Agreement.

Customer Records.

Customer grants to Cisco and its independent accountants the right to examine Customer's books, records and accounts during Customer's normal business hours to verify compliance with this Agreement. In the event such audit discloses non-compliance with this Agreement, Customer shall promptly pay to Cisco the appropriate license fees, plus the reasonable cost of conducting the audit. Export, Re-Export, Transfer and Use Controls. The Software, Documentation and technology or direct products thereof (hereafter referred to as Software and Technology), supplied by Cisco under the Agreement are subject to export controls under the laws and regulations of the United States (U.S.) and any other applicable countries' laws and regulations. Customer shall comply with such laws and regulations governing export, re-export, transfer and use of Cisco Software and Technology and will obtain all required U.S. and local authorizations, permits, or licenses. Cisco and Customer each agree to provide the other information, support documents, and assistance as may reasonably be required by the other in connection with securing authorizations or licenses. Information regarding compliance with export, re-export, transfer and use may be located at the following URL: http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html.

U.S. Government End User Purchasers.

The Software and Documentation qualify as “commercial items,” as that term is defined at Federal Acquisition Regulation (“FAR”) (48 C.F.R.) 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which the Agreement may be incorporated, Customer may provide to Government end user or, if the Agreement is direct, Government end user will acquire, the Software and Documentation with only those rights set forth in the Agreement. Use of either the Software or Documentation or both constitutes agreement by the Government that the Software and Documentation are “commercial computer software” and “commercial computer software documentation,” and constitutes acceptance of the rights and restrictions herein. Identified Components; Additional Terms. The Software may contain or be delivered with one or more components, which may include third-party components, identified by Cisco in the Documentation, readme.txt file, third-party click-accept or elsewhere (e.g. on www.cisco.com) (the “Identified Component(s)”) as being subject to different license agreement terms, disclaimers of warranties, limited warranties or other terms and conditions (collectively, “Additional Terms”) than those set forth herein. You agree to the applicable Additional Terms for any such Identified Component(s).”

Limited Warranty



Subject to the limitations and conditions set forth herein, Cisco warrants that commencing from the date of shipment to Customer (but in case of resale by an Approved Source other than Cisco, commencing not more than ninety (90) days after original shipment by Cisco), and continuing for a period of the longer of (a) ninety (90) days or (b) the warranty period (if any) expressly set forth as applicable specifically to software in the warranty card accompanying the product of which the Software is a part (the “”) (if any): (a) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (b) the Software substantially conforms to the Documentation. The date of shipment of a Product by Cisco is set forth on the packaging material in which the Product is shipped. Except for the foregoing, the Software is provided “AS IS”. This limited warranty extends only to the Software purchased from an Approved Source by a Customer who is the first registered end user. Customer's sole and exclusive remedy and the entire liability of Cisco and its suppliers under this limited warranty will be (i) replacement of defective media and/or (ii) at Cisco's option, repair, replacement, or refund of the purchase price of the Software, in both cases subject to the condition that any error or defect constituting a breach of this limited warranty is reported to the Approved Source supplying the Software to Customer, within the warranty period. Cisco or the Approved Source supplying the Software to Customer may, at its option, require return of the Software and/or Documentation as a condition to the remedy. In no event does Cisco warrant that the Software is error free or that Customer will be able to operate the Software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking networks, Cisco does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack.

Restrictions. This warranty does not apply if the Software, Product or any other equipment upon which the Software is authorized to be used (a) has been altered, except by Cisco or its authorized representative, (b) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Cisco, (c) has been subjected to abnormal physical or electrical stress, abnormal environmental conditions, misuse, negligence, or accident; or (d) is licensed for beta, evaluation, testing or demonstration purposes. The Software warranty also does not apply to (e) any temporary Software modules; (f) any Software not posted on Cisco's Software Center; (g) any Software that Cisco expressly provides on an “AS IS” basis on Cisco's Software Center; (h) any Software for which an Approved Source does not receive a license fee; and (i) Software supplied by any third party which is not an Approved Source.

DISCLAIMER OF WARRANTY

EXCEPT AS SPECIFIED IN THIS WARRANTY SECTION, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, ACCURACY OF INFORMATIONAL CONTENT, OR ARISING



FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW AND ARE EXPRESSLY DISCLAIMED BY CISCO, ITS SUPPLIERS AND LICENSORS. TO THE EXTENT THAT ANY OF THE SAME CANNOT BE EXCLUDED, SUCH IMPLIED CONDITION, REPRESENTATION AND/OR WARRANTY IS LIMITED IN DURATION TO THE EXPRESS WARRANTY PERIOD REFERRED TO IN THE “LIMITED WARRANTY” SECTION ABOVE. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY IN SUCH STATES. THIS WARRANTY GIVES CUSTOMER SPECIFIC LEGAL RIGHTS, AND CUSTOMER MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

Disclaimer of Liabilities - Limitation of Liability.

IF YOU ACQUIRED THE SOFTWARE IN THE UNITED STATES, LATIN AMERICA, CANADA, JAPAN OR THE CARIBBEAN, NOTWITHSTANDING ANYTHING ELSE IN THE AGREEMENT TO THE CONTRARY, ALL LIABILITY OF CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS COLLECTIVELY, TO CUSTOMER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF WARRANTY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID BY CUSTOMER TO ANY APPROVED SOURCE FOR THE SOFTWARE THAT GAVE RISE TO THE CLAIM OR IF THE SOFTWARE IS PART OF ANOTHER PRODUCT, THE PRICE PAID FOR SUCH OTHER PRODUCT. THIS LIMITATION OF LIABILITY FOR SOFTWARE IS CUMULATIVE AND NOT PER INCIDENT (I.E. THE EXISTENCE OF TWO OR MORE CLAIMS WILL NOT ENLARGE THIS LIMIT).

IF YOU ACQUIRED THE SOFTWARE IN EUROPE, THE MIDDLE EAST, AFRICA, ASIA OR OCEANIA, NOTWITHSTANDING ANYTHING ELSE IN THE AGREEMENT TO THE CONTRARY, ALL LIABILITY OF CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS COLLECTIVELY, TO CUSTOMER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF WARRANTY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID BY CUSTOMER TO CISCO FOR THE SOFTWARE THAT GAVE RISE TO THE CLAIM OR IF THE SOFTWARE IS PART OF ANOTHER PRODUCT, THE PRICE PAID FOR SUCH OTHER PRODUCT. THIS LIMITATION OF LIABILITY FOR SOFTWARE IS CUMULATIVE AND NOT PER INCIDENT (I.E. THE EXISTENCE OF TWO OR MORE CLAIMS WILL NOT ENLARGE THIS LIMIT). NOTHING IN THE AGREEMENT SHALL LIMIT (I) THE LIABILITY OF CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS TO CUSTOMER FOR PERSONAL INJURY OR DEATH CAUSED BY THEIR NEGLIGENCE, (II) CISCO'S LIABILITY FOR FRAUDULENT MISREPRESENTATION, OR (III) ANY LIABILITY OF CISCO WHICH CANNOT BE EXCLUDED UNDER APPLICABLE LAW.

Disclaimer of Liabilities - Waiver of Consequential Damages and Other Losses.



IF YOU ACQUIRED THE SOFTWARE IN THE UNITED STATES, LATIN AMERICA, THE CARIBBEAN OR CANADA, REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE SOFTWARE OR OTHERWISE AND EVEN IF CISCO OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

IF YOU ACQUIRED THE SOFTWARE IN JAPAN, EXCEPT FOR LIABILITY ARISING OUT OF OR IN CONNECTION WITH DEATH OR PERSONAL INJURY, FRAUDULENT MISREPRESENTATION, AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE SOFTWARE OR OTHERWISE AND EVEN IF CISCO OR ANY APPROVED SOURCE OR THEIR SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IF YOU ACQUIRED THE SOFTWARE IN EUROPE, THE MIDDLE EAST, AFRICA, ASIA OR OCEANIA, IN NO EVENT WILL CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS, BE LIABLE FOR ANY LOST REVENUE, LOST PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES, HOWSOEVER ARISING, INCLUDING, WITHOUT LIMITATION, IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF, IN EACH CASE, CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS, HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT FULLY APPLY TO YOU. THE FOREGOING EXCLUSION SHALL NOT APPLY TO ANY LIABILITY ARISING OUT OF OR IN CONNECTION WITH: (I) DEATH OR PERSONAL INJURY, (II) FRAUDULENT MISREPRESENTATION, OR (III) CISCO'S LIABILITY IN CONNECTION WITH ANY TERMS THAT CANNOT BE EXCLUDED UNDER APPLICABLE LAW.

Customer acknowledges and agrees that Cisco has set its prices and entered into the Agreement in reliance upon the disclaimers of warranty and the limitations of



liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties.

Controlling Law, Jurisdiction.

If you acquired, by reference to the address on the purchase order accepted by the Approved Source, the Software in the United States, Latin America, or the Caribbean, the Agreement and warranties (“Warranties”) are controlled by and construed under the laws of the State of California, United States of America, notwithstanding any conflicts of law provisions; and the state and federal courts of California shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in Canada, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of the Province of Ontario, Canada, notwithstanding any conflicts of law provisions; and the courts of the Province of Ontario shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in Europe, the Middle East, Africa, Asia or Oceania (excluding Australia), unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of England, notwithstanding any conflicts of law provisions; and the English courts shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. In addition, if the Agreement is controlled by the laws of England, no person who is not a party to the Agreement shall be entitled to enforce or take the benefit of any of its terms under the Contracts (Rights of Third Parties) Act 1999. If you acquired the Software in Japan, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of Japan, notwithstanding any conflicts of law provisions; and the Tokyo District Court of Japan shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in Australia, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of the State of New South Wales, Australia, notwithstanding any conflicts of law provisions; and the State and federal courts of New South Wales shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in any other country, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of the State of California, United States of America, notwithstanding any conflicts of law provisions; and the state and federal courts of California shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties.

For all countries referred to above, the parties specifically disclaim the application of the UN Convention on Contracts for the International Sale of Goods. Notwithstanding the foregoing, either party may seek interim injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of such party's intellectual property or proprietary rights. If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement and Warranties shall remain in full force and effect. Except as expressly provided



herein, the Agreement constitutes the entire agreement between the parties with respect to the license of the Software and Documentation and supersedes any conflicting or additional terms contained in any Purchase Order or elsewhere, all of which terms are excluded. The Agreement has been written in the English language, and the parties agree that the English version will govern. Product warranty terms and other information applicable to Cisco products are available at the following URL: http://www.cisco.com/go/warranty. [SUPPLEMENTAL LICENSE AGREEMENT FOLLOWS]

Supplemental End User License Agreement

FireAMP Product

IMPORTANT: READ CAREFULLY.

This Supplemental End User License Agreement (“SEULA”) contains additional terms and conditions for the FireAMP Product (the “Software”) licensed under the End User License Agreement (“EULA”) between you and Cisco (collectively, the “Agreement”). Capitalized terms used in this SEULA but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this SEULA, the terms and conditions of this SEULA will take precedence.

In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this SEULA.

DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.

Definitions “Endpoint” means any device capable of processing data used in conjunction with any of the Software or Cisco-provided services, including but not limited to personal computers, mobile devices and network computer workstations. “Non-Personal Information” means technical and related information that is not Personal Information, including, but not limited to the operating system type and version; file metadata and identifiers such as SHA-256 values; network host data; origin and nature of malware; Endpoint GUIDs (globally unique identifiers); Internet Protocol (“IP”) addresses; MAC addresses; logfiles; the types of software or applications installed on a network or an Endpoint; and any aggregate or demographic data such as cookies, web logs, web beacons, and other similar applications. “Personal Information” means any information that can



be used to identify an individual and may include an individualâ€™s name, address, email address, phone number, payment card number, and user name.

Additional License Rights and Restrictions

License.

Conditioned upon compliance with the terms and conditions of the Agreement, Cisco grants to you a nonexclusive, nontransferable and non-sublicenseable license to use for your internal business purposes the Software and Documentation for which you have paid the required license and/or subscription fee. The license shall be a subscription to use the Software for a defined period of time as indicated in a SKU or as otherwise shown in the ordering document. In order to use the Software, you may be required to input a registration number or product authorization key and register your copy of the Software online at Cisco's website to obtain the necessary license key or license file. You will need a connection to the Internet in order to access certain cloud-based components of the Software. You are solely responsible for establishing and maintaining all required Internet connections.

Certain components of the Software will be required to be installed on your Endpoints. You may install such components of the Software only on the number of Endpoints for which you have paid the applicable fee.

If you allow a third party acting on your behalf (i.e. a contractor) to access and use the Software, then you shall remain responsible for compliance with the Agreement by each such third party. If you distribute the Software to such third party or otherwise install any component of the Software on an Endpoint of such third party, then each such distribution or installation shall include a copy of the Agreement.

If Cisco provides you with application IDs, signatures or rules for use with any Software (collectively, the “Rules”), then such Rules, and all modifications and updates thereto, are provided on an “AS IS” basis without warranty of any kind, either expressed or implied, including, without limitation, warranties that the Rules are free of defects, merchantable, fit for a particular purpose, error-free or non-infringing.

The subscription term is subject to the termination provisions under the EULA. You must renew the subscription license and pay the applicable fee before the expiration date for continued authorized use of the Software. You may not use the Software in a manner that exceeds the permitted number of Endpoints, term of subscription or other limitations associated with the applicable license or subscription fee paid or payable by you. If the subscription term expires without renewal, Software features and services may cease operation. Cisco has the right to terminate your use of the Software if your use extends beyond the permitted number of Endpoints or the subscription term has expired and you have not paid the applicable fee to continue use of the Software. In the event of a termination of the Agreement, you must use commercially reasonable efforts to notify all permitted third party users that their rights of access and use of the Software have also ceased.



Consent to Data Collection and Privacy

1. Data Collection and Processing.

Cisco may, as part of your use of the Software and/or the provision of related services by Cisco, collect, retain, and use Non-Personal Information and specific identifiable data about you, your network and your Endpoints (e.g., Endpoint IDs, IP addresses, location, content, etc.). Some of this specific identifiable data may contain Personal Information. Cisco also may transfer data so collected to Cisco's offices and subsidiaries in the United States and other countries where Cisco or its service providers have facilities.

2. Purpose of Data Collection and Processing.

The data Cisco collects from the Software is necessary for the essential use and functionality of the Software (e.g. device tracking, access control, data and traffic analysis, threat detection, malware and conduct-related analysis, etc.), and is also used by Cisco to provide associated services and to improve the operation and functionality of the Software. For these reasons you may not be able to opt out from some of this data collection other than by uninstalling or disabling the Software. You may have the ability, however, to configure your Software to limit some of the data that can be collected, as described in the applicable Software Documentation.

3. Consent to Data Collection and Use.

By using the Software and/or subscribing to related Cisco-provided services and accepting these terms, you agree to the collection, use, transfer, backup, and storage of your Personal Information and other data by Cisco and its service providers. Cisco will not process this information other than in accordance with Cisco's Privacy Statement (identified in section 4 below). You also agree that Cisco and its service providers may, as part of your use of the Software and the provision of related services by Cisco, transfer, copy, backup and store your Personal Information and other data in the United States, Europe, or other countries or jurisdictions outside your own where data protection standards may be different.

4. Privacy Statement.

By entering into this Agreement, you agree that Cisco's Privacy Statement, as it exists at any relevant time, applies to you. The most current Privacy Statement can be found at: http://www.cisco.com/web/siteassets/legal/privacy_full.html [End of SEULA]
