Cisco Meraki Advanced Malware Protection (AMP) is the file security engine built into Meraki MX firewalls with Advanced Security licensing. It inspects files as they cross the MX, checks them against Cisco’s cloud intelligence, and decides whether to allow, block, or keep watching them.

For distributed SMB IT networks, AMP is often the first place a file is inspected before it hits a laptop or server. It is designed to catch the zero-day and “patient zero” style threats that signature-only antivirus misses.

Closing The Perimeter Gap In Distributed Networks

Most branch sites send users straight to the internet through an MX. If that MX only runs basic firewall rules, file-based threats roll right through your environment.

AMP closes that gap by acting as a file security layer at the edge. It provides a practical way to secure your network without adding unnecessary complexity to your daily workload.

• What AMP targets: File downloads over HTTP passing through the MX

• How it fits with other engines:

  • Firewall rules: Control which apps and ports are allowed

  • IDS/IPS: Inspect traffic for exploits and C2 connections

  • AMP: Inspect files and track their reputation over time

  • Content filtering: Block known risky sites and categories

• Why it matters: Stops malicious files before they ever land on an endpoint

Core Capabilities Behind Meraki Advanced Malware Protection

Instead of relying on static signatures, AMP uses cloud file reputation, behavior analysis, and Cisco Talos intelligence. That gives you better visibility and a clearer story in the Meraki Dashboard.

This intelligence-driven approach allows you to make smart decisions without uncertainty. It provides the clarity and speed in procurement and management that SMB IT professionals rely on.

Real-Time File Reputation Checks

Every inspected file is fingerprinted and checked against the AMP cloud, then allowed, blocked, or monitored. This process is fast and accurate, ensuring your users are protected without slowing down their work.

• File hash lookup: The MX sends a file fingerprint to the cloud for verification

• Disposition: Files are categorized as clean, malicious, or unknown.

• Action at the edge: The system blocks malicious files and logs unknown ones for further review.

• Visibility: Events show up in the Meraki Security Center with file, client, and URL details

Dynamic Sandbox Analysis (Threat Grid Integration)

When you enable Threat Grid (Cisco Secure Malware Analytics), suspicious unknown files can be detonated in a sandbox. This provides technical guidance on how a file behaves before it touches your actual hardware.

• Behavioral scores: High-risk files stand out quickly based on their actions.

• Rich forensics: Review registry changes, process behavior, and callback attempts

• Faster decisions: You can treat a high-scoring “unknown” as effectively malicious

Automating Containment For Malicious Files

Once the AMP cloud flags a file as malicious, the MX can stop it in place to protect your environment. This automation helps you avoid mistakes and reduces the manual effort required from your solo administrator.

Common actions:

• Inline block: Prevent the delivery of the file to the end user.

• User feedback: Provide a block page or a clear notification of a failed download.

• Event logging: Store the file hash, client, and action in the Security Center

• Integration: Export to syslog or SIEM to match against other alerts

Eliminating Patient Zero With Retrospective Security

Some files look clean at first and are later reclassified as malicious. AMP handles that with retrospective alerts to help you find and clean endpoints that were previously exposed.

How retrospective security helps:

• Tracks disposition changes over time

• Alerts when a previously allowed file becomes “malicious.”

• Let's you:

  • Find systems that saw or downloaded that file

  • Isolate and clean those endpoints

  • Close any firewall, DNS, or email gaps that let it through

File Trajectory And Propagation Visibility

You do not get a full-blown endpoint detection and response (EDR) map, but you do get enough file trajectory insight to answer “who was impacted.” This data is practical for SMB budgets while providing the necessary oversight.

Useful data points:

• Which client downloaded the file and when

• Which URL or IP address served the file

• Whether the file’s reputation changed later

• How many times has the same file appeared across sites

Correlating Signatures And Heuristics Via Cisco Talos

AMP is backed by Cisco Talos, which constantly scores and rescores files based on global telemetry. This ensures you are using the most current intelligence available to protect your network.

• Informed decisions: Get better insights about rare files your organization has never seen.

• Rapid protection: Stay protected during new malware waves with fast updates.

• Consistency: Maintain aligned security policies across all your Cisco tools.

Integration With MX Threat Protection Stack

AMP is strongest when used as part of the full MX Threat Protection set. This combination creates a modern perimeter stack that works for multi-site SMB IT teams.

Together you get:

• Layer 7 rules: Reduce your attack surface by controlling specific application traffic.

• IDS/IPS: Block exploit traffic before it penetrates your internal network.

• Content filtering: Cut off access to high-risk or unauthorized web categories.

The result is a practical perimeter stack that works for multi-site SMB environments.

Sizing Implications And Throughput Architecture

AMP and Intrusion Detection/Prevention Systems (IDS/IPS) require significant processing power from your hardware. You should always assume these features are active when you calculate your throughput needs.

Sizing your gear correctly ensures that security does not become a bottleneck for your users. Hummingbird Networks recommends reviewing these practical tips before you finalize your model selection.

• Check security numbers: Use the "with security features enabled" throughput numbers for all calculations.

• Calculate peak bandwidth: Consider your peak internet usage rather than just the circuit size.

• Review feature load: Determine if AMP, IDS/IPS, and content filtering will all be active simultaneously.

• Plan for growth: Account for increased traffic from Software as a Service (SaaS), video, and remote work.

Placing AMP Within A Layered Security Architecture

AMP is one important layer in your defense, but it is not the only tool you should rely on. A multi-layered approach ensures that threats are caught even if they bypass the initial perimeter check.

Pair AMP with:

• MX firewall + IDS/IPS at every internet edge

• DNS and cloud access security for encrypted traffic and roaming users

• Endpoint protection for threats that never cross the MX

• Email security to neutralize weaponized attachments and links

Configuring Fail-Open Vs. Fail-Closed Policies

AMP relies on the cloud for file reputation. If the MX cannot reach the AMP cloud, it has to decide how the hardware handles incoming files.

Operational guidance:

• Treat AMP as “fail closed” by design: if reputation checks fail, files may be blocked

• Document when it is acceptable to temporarily disable AMP to restore business traffic

• Monitor MX connectivity so you see cloud reachability problems before users complain

Architecting an Incident Response Workflow

AMP only helps if your team has a simple, repeatable playbook to follow when alerts appear. A clear process reduces the time it takes to contain a threat and restore normal operations.

Your incident response workflow should be direct and well-documented. This allows your team to act with confidence during high-pressure security events.

Review And Prioritize Alerts

You should start in the Meraki Security Center and filter your alerts to focus on the most critical items first. This helps you manage your workload without feeling overwhelmed by data.

Prioritize:

• Malicious file blocks

• Retrospective alerts

• High-severity sandbox results

• AMP alerts that share hosts or IPs with IDS/IPS events

Investigate Alert Details

Once you identify a priority alert, gather a quick picture of the event to understand the scope of the threat. This investigation provides the context you need to make informed decisions.

Check the following:

• File hash and current disposition

• The client and user who requested it

• URL or IP serving the file

• Any related events (sandbox report, IPS hits, repeated downloads)

Contain Threats Quickly

Containment is a critical step because it buys you time to resolve the issue without further spread. You should have a set of standard moves ready for any suspected compromise.

Standard moves:

• Apply a restrictive group policy to the affected client

• Shut down a switch port for a clearly compromised device

• Add temporary firewall rules to block the malicious domain or IP

Remediate And Clean

With the threat contained, you can focus on fixing the root cause of the issue. This ensures your environment returns to a stable and secure state.

Typical actions:

• Run full endpoint scans to ensure the malicious file is completely removed.

• Update operating systems and browsers to close the vulnerabilities that allowed the threat.

• Rotate user passwords if you suspect an account has been compromised.

Document And Communicate

You should write down the details of the event so your team is not guessing about the cause or the cure later. Clear documentation builds trust and improves your future response times.

Capture:

• A short history of when the event started and when it was resolved.

• Which users and systems were affected

• Permanent rule or configuration changes you made

Monitor For Recurrence

After the incident is resolved, keep a close watch for any signs of the threat returning. This proactive approach helps you maintain long-term network health.

Follow up by:

• Watching for the same hash, domain, or IP

• Looking for similar AMP or IPS events on other sites

• Coaching users who repeatedly trigger alerts

Verifying AMP Efficacy and Disposition Status

When AMP appears quiet or confusing in the dashboard, SMB administrators usually see a few common patterns. You should investigate these patterns to ensure your security engine is functioning as expected.

A lack of data often points to a configuration issue rather than a lack of threats. Hummingbird Networks recommends a methodical approach to verifying your setup to maintain total network confidence.

No File Events Showing In The Dashboard

If there are zero file events in your logs, you should first assume there is a configuration problem. Checking the basics can quickly identify why the engine is not reporting traffic.

Quick checks:

• Is Advanced Security (or equivalent) licensed and active on the MX?

• Is Threat Protection enabled and AMP turned on?

• Are users actually downloading files through that MX?

• Is most file traffic encrypted HTTPS that the MX cannot see?

High Volume Of “Unknown” File Disposition Results

An unknown status does not always mean a file is dangerous. It often means the cloud intelligence does not have enough data to make a definitive judgment yet.

As a technical expert, you should treat these results with caution but without alarm. You can manage these cases by following a few standard procedures:

• Lots of internal or custom binaries

• Very new files that have not built a reputation

• Inconsistent connectivity to AMP cloud services

Your response:

• Confirm stable connectivity from MX to AMP

• Use sandboxing for high-risk unknowns

• Tighten endpoint monitoring where unknowns are common

Missing Retrospective Alerts

If you have never seen a retrospective alert, it does not always mean the feature is broken. These alerts only trigger when a previously allowed file is reclassified by Cisco Talos.

Possible causes:

• Your environment simply has not hit files that flipped disposition

• Alerting is not wired to email, syslog, or SIEM, so the team is not seeing them

• You are checking the wrong time windows or filters in Security Center

The Value of Advanced Security Licensing

On paper, Advanced Security is an extra line item. In practice, it is the difference between “hoping endpoints catch everything” and actually blocking malware at the edge.

For most multi-site SMB networks, avoiding even one serious outage covers the licensing cost many times over. Hummingbird Networks focuses on providing the clarity you need to justify these investments to your leadership.

How AMP and Advanced Security pay off:

• Fewer serious incidents because malicious files never land on endpoints

• Shorter investigations because file, user, and source details are all in one place

• Smaller operational burden because firewall, IPS, and AMP live in a single cloud dashboard

For most multi-site SMB networks, avoiding even one real outage or ransomware event covers the licensing cost many times over.

Strengthen Your Security Posture Beyond AMP

Meraki AMP gives you a smart, cloud-backed filter for file-based threats at the MX firewall. It plugs a real gap in distributed networks where branches talk directly to the internet.

Use AMP as part of a layered approach that includes strong MX sizing and modern endpoint tools. Combining these with a simple response workflow ensures your team can handle threats quickly even on a busy day.

Lock down file-based threats at the edge with the right Meraki firewall and AMP configuration for your network.