Products and Services

Endpoint Protection: Cisco AMP vs Anti-Virus?

February 3, 2019

Endpoint protection is a regular topic for discussion and is a key component in a Defence in Depth strategy. Since the introduction of Cisco AMP for Endpoints, there have been many questions regarding where AMP sits in comparison to Endpoint Protection from other vendors and how it should be used.Common questions have included:

  • Can AMP work with my current Anti-virus software?
  • Does AMP use signatures like my current Anti-Virus software?
  • Can AMP replace my current Anti-virus software?

The answer to all these questions is Yes, but there are some key points to understand.In our previous post What is Cisco AMP for Endpoints?, we explained that AMP is Cisco’s Next Generation Endpoint Protection solution, that uses advanced techniques and dynamic file behaviour analysis to detect the presence or installation of malicious software, to enable rapid response, and prevent or remove an infection.Here we will cover some of these common questions.

Can AMP work with my current Anti-virus software?

AMP for Endpoints was specifically designed to work together with existing Anti-virus solutions such as McAfee and Symantec. AMP does not clash with existing AV products nor does it try to compete with them.Instead AMP allows the AV software to perform its inspection and analysis first, and if the AV detects malware it can perform its configured quarantine or removal actions as required, and AMP does not need to get involved. In the event that the AV does not detect the presence of malware, AMP then steps in to perform its analysis and blocking as required.

Does AMP use signatures like my current Anti-Virus software?

A signature is a static string or pattern of text that uniquely identifies a virus. These signatures allow Anti-virus software to detect and trigger alerts when a virus is present. As these are static identifiers, the virus needs to be known and understood, if the virus behaviour changes or a new virus is released then new signatures will be required. This can lead to gaps in your endpoint security.These Anti-virus products are often referred to as ‘Point-in-time detection’ technologies.In addition to the cloud based dynamic file analysis, AMP for endpoints includes Point-in-time offline protection engines for Anti-virus scanning. Two offline protection engines are currently available with AMP:

  • ClamAV engine is available for offline AV scanning of Linux and Apple Mac devices
  • TETRA engine is available for offline AV and rootkit scanning of Microsoft Windows devices

These offline protection engines are not enabled by default, but they can be enabled in the policy as required. If you decide to run AMP alongside existing AV software, then these offline engines should not be enabled.Both engines run offline copies of the signature files locally on the endpoint and must connect to the AMP cloud regularly to download the latest signatures, in the same way that standard Anti-virus products do.

Can AMP replace my current Anti-virus software?

In short, you can use AMP to replace your existing AV product. Cisco AMP for Endpoints goes beyond these normal signature-based detection and prevention technologies, by including multiple engines to enhance AMPs ability to detect Malware.AMP for Endpoints provides deep visibility and control using the following:

  • Point-in-time Malware detection and blocking: Uses signature matching, machine learning and fuzzy fingerprinting to analyse and catch the malware at point of entry, in real-time.
  • Continuous analysis, remediation and retrospective security: When a file lands on an endpoint, AMP watches the file continuously and records its activity, regardless of whether the file is deemed good or bad. If a good file starts to exhibit bad behaviour in the future, AMP can alert your team, so you can contain and remediate the threat quickly.
  • Threat intelligence: AMP is backed up by solid threat intelligence provided by the Cisco Talos group. Talos analyses millions of malware samples and terabytes of data every day. Once available, Talos pushes this threat intelligence to AMP for Endpoints so users are protected 24/7. On average Talos intelligence and real-world block data is received by Cisco’s global Security products within 5 mins of being available.
  • Advanced Sandboxing: With the help of AMP Threat Grid, AMP can perform automated static and dynamic analysis of files, against a large number of behavioural indicators, to determine whether a file is malicious.

Cisco have many clients that have used AMP for Endpoints to replace their existing Anti-virus software.Ultimately though, the decision is yours. You need to consider whether AMP for Endpoints is suitable to replace your current AV. This may depend on several factors; your organisations security policy; the capabilities of your current endpoint protection software and whether you feel it is performing to your standards, and your organisations requirements for endpoint security; to name a few.

What AMP for Endpoints does not do

Cisco’s AMP for Endpoints does not aim to mimic the standard Anti-virus and Endpoint Protection products, that most people are familiar with today. As discussed above AMP is a Next Generation Endpoint Security solution, which uses advanced methods to detect attacks and malware infections that occur on your PC’s, Laptops, Servers etc.Below are a few items available in typical Endpoint Security products that Cisco AMP for Endpoints does not provide:

  • Host based or Personal Firewall services
  • Host based or Personal Intrusion Prevention Services
  • Port and device control

To cover the above items, you could use AMP in conjunction with alternative layers of security such as network-based controls or integrated software such as Windows Defender, which is built into Microsoft operating systems.


Cisco AMP for Endpoints is a simple, strong and effective solution in the fight against Malware and modern day cyber-attacks. It can be used in conjunction with, or as an alternative to, your existing Endpoint protection solution - depending upon your requirements.AMP does not have to operate as a standalone product, it is part of larger security architecture that is integrated with numerous products in the Cisco Security portfolio. These products are built to work together as an integrated security system, to provide faster detection and response to threats across your organisation and close the gaps that come from using different individual security products that are unaware of each other.

Where do Ironshare fit in?

Ironshare can help you to get up and running with Cisco AMP for Endpoints within days.We not only provide step-by-step guidance on deployment within your organisation, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.Step 1 – Simple PricingIronshare are Certified Cisco partners who specialise in security and operate in a completely transparent manner. Unlike other providers we make no secret of our pricing and you can simply click here to get an accurate price estimate. No nonsense – simple!

Cisco Select

Step 2 – Simple DeploymentCisco AMP for Endpoints requires no on-site hardware and can be deployed very easily, providing advanced protection for all of your endpoints.Our technical team would need to speak with your software deployment teams but rolling out the lightweight connector is straightforward. There might be other factors to consider for wider deployments – but none will be complicated and even the largest of companies can have this up and running very quickly.We will guide you through the entire process. No hidden costs – simple!Step 3 – Simple ManagementAlthough AMP for Endpoints has a great management interface, it does take time to get up to speed with the product, so to manage this yourself would require some dedicated resource to first of all learn, but then maintain and get the best out of AMP for Endpoints.Our team at Ironshare are experienced with the product, and we would talk to you about what you want to achieve, and after the initial setup we will deliver you a managed service that ensures your IT support or security team are aware of threats from day one. With an Ironshare managed service your team have more time to get on with their normal day to day activities.In addition, we’ll alert you to any malware issues that the product discovers and provide you with a monthly report that summarises all of the interesting facts and figures. We’ll also give you recommendations on internal actions you might need to take.ConclusionIronshare are a small, niche security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.Ironshare – Security, SimplifiedIf you have any questions – please Contact Us here.


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi