A Simple Custom Detection List is a feature of Cisco AMP for Endpoints that allows administrators to create a list of SHA-256 hashes of files that they want to detect, block, and quarantine on their endpoints. The list can be applied to a policy and the connectors will synchronize with the latest changes. However, the list only works with the exact SHA-256 hashes that are provided, and it does not detect any variations or modifications of the files. Therefore, if the malicious file abc428565580xyz.exe has been altered in any way, such as by changing its name, size, or content, the Simple Custom Detection List will not be able to recognize it as a threat. To ensure detection of the malicious file, the administrator must upload the SHA-256 hash of the current version of the file to the Simple Custom Detection List, or use another method that can detect file variations, such as an Advanced Custom Detection List or Cisco Threat Grid. References := Some possible references are:
* Configure a Simple Custom Detection List on the AMP for Endpoints Portal
* Create an Advanced Custom Detection List in Cisco Secure Endpoint
* [Cisco AMP for Endpoints User Guide]
https://www.cisco.com/c/en/us/td/docs/security/firepower/amp/6-3/user-guide/amp-user-guide.pdf

Cisco AMP for Endpoints and Cisco Umbrella Roaming Client are both security solutions that protect mobile users from threats, but they have different functions and features. Cisco AMP for Endpoints is a cloud-managed endpoint security solution that stops and tracks malicious activity on hosts, such as malware execution, file behavior, and command-and-control callbacks. It also provides threat intelligence, sandboxing, and retrospective analysis to detect and respond to advanced threats. Cisco Umbrella Roaming Client is a lightweight DNS client that tracks only URL-based threats, such as phishing, ransomware, and botnets. It prevents connections to malicious domains and IP addresses, and provides visibility and enforcement for off-network devices. It also integrates with Cisco AnyConnect VPN client to provide seamless protection for VPN and non-VPN traffic. Therefore, the functional difference between Cisco AMP for Endpoints and Cisco Umbrella Roaming Client is that AMP for Endpoints stops and tracks malicious activity on hosts, and the Umbrella Roaming Client tracks only URL-based threats. References :=
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints Overview
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.2: Cisco AMP for Endpoints Architecture and Components
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.3: Cisco AMP for Endpoints Installation and Configuration
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.4: Cisco AMP for Endpoints Analysis and Response
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.5: Cisco Umbrella Overview
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.6: Cisco Umbrella Architecture and Components
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.7: Cisco Umbrella Roaming Client
* Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.8: Cisco Umbrella Policies and Reporting
* Best Mobile Cybersecurity Solution - Cisco Umbrella

Reference:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Ad

Explanation