A multinational corporation uses Cisco AMP for Endpoints with cloud-based file reputation. The security team notices that a file that was previously determined to be clean (disposition: clean) is now reported as malicious by a threat intelligence feed. However, AMP has not taken any action on endpoints that already executed the file. The administrator confirms that retrospective security is enabled. What should the administrator check first to ensure that the file is remediated on all affected endpoints?
Requires explicit setting.
Why this answer
Option C is correct because when a file's disposition changes from clean to malicious in the AMP cloud, the 'Remediate Now' policy setting controls whether AMP automatically triggers remediation actions (such as quarantine or deletion) on endpoints that have already executed the file. Even with retrospective security enabled, the administrator must ensure that the policy assigned to the endpoints has this option enabled; otherwise, the cloud will send the updated disposition but the endpoint will not automatically act on it.
Exam trap
Cisco often tests the distinction between 'retrospective security' being enabled (which allows the cloud to send updated dispositions) and the 'Remediate Now' policy setting (which controls whether the endpoint automatically acts on those updates), leading candidates to incorrectly assume that enabling retrospective security alone is sufficient for automatic remediation.
How to eliminate wrong answers
Option A is wrong because antivirus exclusion lists affect real-time or on-access scanning, not the retrospective remediation of a file whose disposition has changed in the cloud; exclusions would prevent initial detection but do not block cloud-triggered remediation. Option B is wrong because endpoints must have internet connectivity to receive the updated disposition from the AMP cloud, but the question states that the administrator confirms retrospective security is enabled, implying connectivity is already present; the issue is the lack of automatic remediation action, not connectivity. Option D is wrong because the local AMP engine handles initial file analysis and detection, but the file was previously determined clean by the cloud; the local engine does not re-analyze files for retrospective disposition changes—that is a cloud-driven function.