Cisco Secure Endpoint (AMP) - Running a Scan from the Local GUI

This article describes the process of starting a Secure Endpoint (AMP) scan directly from a machine with Secure Endpoint (AMP) installed.

Note: To successfully run all of the scan types available, the AMP console administrator for your department must enable the AMP GUI via the console. For more information on how to do this, see this article on enabling Tetra & Clam AV.

  • Starting a Scan Locally on a Windows Endpoint:

      1. To trigger a scan on your machine, you must start the Cisco Secure Endpoint (AMP) GUI. To do so, type Cisco Secure Endpoint (AMP) into the Start Menu Search Bar of your machine. If Secure Endpoint (AMP) is installed on your machine, the Cisco Secure Endpoint (AMP) Connector should appear. Double click the Application to start it.
        IMG12.png

      2. The Secure Endpoint (AMP) GUI should now appear, but if it does not, you may have to navigate to your system tray on the lower right hand corner of your screen. Double click the Secure Endpoint (AMP) Icon to start the GUI (Icon shown in the green box in the image below).
        IMG13.png

        Secure Endpoint (AMP) GUI:
        IMG14.png

      3. Click the Scan Now button. You will be presented with the option to run several different kinds of scans. To learn more about each of the scan types, see below:

          • Flash Scan: will scan the processes running and the files and registry entries used by those processes.

          • Custom Scan: will scan a particular filepath that you give it.

          • Full Scan: will scan the processes running, the registry entries, and all the files on disk. This scan can be very resource-intensive.

          • Rootkit Scan: scans the computer for signs of installed rootkits.

        IMG15.png

      4. Selecting a scan type will automatically trigger the scan. When you start a scan, a window showing scan progress should appear. You will have the option to pause or stop the scan.
        IMG16.png

      5. When the scan is completed, a results window will appear.
        IMG17.png



  • Starting a Scan Locally on a Mac Endpoint:

      1. To trigger a scan on your machine, you must start the Cisco Secure Endpoint (AMP) GUI. To do so, click the magnifying glass in the upper right hand corner of your screen, then type Cisco Secure Endpoint (AMP) into the Spotlight Search Bar that appears. If Secure Endpoint (AMP) is installed on your machine, the Cisco Secure Endpoint (AMP) Connector should appear. Double click the Application to start it.
        IMG18.png

      2. The Secure Endpoint (AMP) GUI Icon should now appear in the processes bar in the upper right hand corner of your screen. Click the Secure Endpoint (AMP) Icon to expand information about Secure Endpoint (AMP) (Icon shown in the green box in the image below).
        IMG19.png

      3. Hover your mouse over the Scan option. You will be presented with the option to run several different kinds of scans. To learn more about each of the scan types, see below:

          • Flash Scan: will scan the processes running and the files and registry entries used by those processes.

          • Full Scan: will scan the processes running, the registry entries, and all the files on disk. This scan can be very resource-intensive.

          • Custom Scan: will scan a particular filepath that you give it.

        IMG20.png

      4. Selecting a scan type will automatically trigger the scan. When you start a scan, clicking the Secure Endpoint (AMP) Icon again will show scan progress. You will also have the option to pause or stop the scan.
        IMG21.png

      5. To view results, click the Secure Endpoint (AMP) icon and select Settings. An Secure Endpoint (AMP) GUI will appear. Navigate to the Events tab to view all recent events on the endpoint. If the scan found anything, an event for the findings will appear in this tab.
        IMG22.png