Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4012
Views
15
Helpful
4
Replies

AMP Signature Set Update Failure

Go to solution
EricQuinn4504
Level 1
Level 1

‎12-18-2020 08:10 AM

The daily activity report shows "Event Type: Signature Set Update Failure" for one PC. Looking at the device in the console I find the following under error details and cannot find any documentation of error codes and how to troubleshoot.  Any help is appreciated.

 

Error Code 50. Computer CPU incompatible with Behavioral Protection engine SSSE3 requirement.

5 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
EricQuinn4504
Level 1
Level 1
In response to jbates5873

‎03-18-2021 06:51 AM

Update to all:
I was able to work with Cisco Tech Support and include his response to questions about our problem. Short answer: our problem was the result of some old computers with AMD Athlon II CPUs which do not support a required CPU code library.
Thanks for contacting Cisco TAC. My name is Javi Martinez from the Advanced Threat Solutions team. I will be assisting you with the Service Request.

Regarding your issue, the issue is regarding Behavioral Protection engine, let me share with you the following additional details:

1) What is the meaning of error 50?

A signature set update failure with error code 50 will be in your Events list if the processor on a computer does not support SSSE3.
You can double check this information from AMP4E User guide:
https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf
Behavioral Protection (Connector version 7.3.1 and later), page 117 & 118.

2) Where can I find a listing of all Cisco AMP error codes?

- There is not an AMP4E Error List, most of the cases, AMP4E triggers an Error code in decimal format,
these codes are derived from the Windows Event Log hexadecimal codes.
So in order to get additional details, we need to convert the error code and search it in Microsoft documentation:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/8f11e0f3-d545-46cc-97e6-f00569e3e1bc

3) What method will resolve this error?

>From AMP user guide https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf
As additional requirement, Behavioral Protection also requires a CPU that supports the Supplemental Streaming SIMD Extensions 3 (SSSE3) instruction set.
Please verify if the affected devices support SSSE3 instructions set. If the affected devices doesn't support it, the error will be triggered.

Keep on mind, Behavioral Protection engine enhances the ability to detect and stop threats behaviorally.
It deepens the ability to detect "living-off-the-land" attacks and provides faster response to changes in the threat landscape through signature update.
If this engine has a signature set update failure, Behavioral Protection engine won't work as expected.
So you can test disable Behavioral Protection engine and verify if the alerts will be still appearing (In order to don't affect all your environment, you can move the affected machines into an specific Policy where you are able to disable this Behavioral Protection engine)
I hope this information will be useful for you.

If you have any further questions, please let me know, I´ll be glad to help you.
Below you can find my signature with my business hours.

Regards,
Javi Martinez Arias
Technical Consulting Engineer

View solution in original post

4 Replies 4

Go to solution
jbates5873
Level 1
Level 1

‎03-17-2021 04:44 PM

Is there any updates on this issue? one of our customers machines has come back with this error aswell.

Go to solution
EricQuinn4504
Level 1
Level 1
In response to jbates5873

‎03-18-2021 06:51 AM

Update to all:
I was able to work with Cisco Tech Support and include his response to questions about our problem. Short answer: our problem was the result of some old computers with AMD Athlon II CPUs which do not support a required CPU code library.
Thanks for contacting Cisco TAC. My name is Javi Martinez from the Advanced Threat Solutions team. I will be assisting you with the Service Request.

Regarding your issue, the issue is regarding Behavioral Protection engine, let me share with you the following additional details:

1) What is the meaning of error 50?

A signature set update failure with error code 50 will be in your Events list if the processor on a computer does not support SSSE3.
You can double check this information from AMP4E User guide:
https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf
Behavioral Protection (Connector version 7.3.1 and later), page 117 & 118.

2) Where can I find a listing of all Cisco AMP error codes?

- There is not an AMP4E Error List, most of the cases, AMP4E triggers an Error code in decimal format,
these codes are derived from the Windows Event Log hexadecimal codes.
So in order to get additional details, we need to convert the error code and search it in Microsoft documentation:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/8f11e0f3-d545-46cc-97e6-f00569e3e1bc

3) What method will resolve this error?

>From AMP user guide https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf
As additional requirement, Behavioral Protection also requires a CPU that supports the Supplemental Streaming SIMD Extensions 3 (SSSE3) instruction set.
Please verify if the affected devices support SSSE3 instructions set. If the affected devices doesn't support it, the error will be triggered.

Keep on mind, Behavioral Protection engine enhances the ability to detect and stop threats behaviorally.
It deepens the ability to detect "living-off-the-land" attacks and provides faster response to changes in the threat landscape through signature update.
If this engine has a signature set update failure, Behavioral Protection engine won't work as expected.
So you can test disable Behavioral Protection engine and verify if the alerts will be still appearing (In order to don't affect all your environment, you can move the affected machines into an specific Policy where you are able to disable this Behavioral Protection engine)
I hope this information will be useful for you.

If you have any further questions, please let me know, I´ll be glad to help you.
Below you can find my signature with my business hours.

Regards,
Javi Martinez Arias
Technical Consulting Engineer

Go to solution
Rahul Singh
Cisco Employee
Cisco Employee

‎03-18-2021 02:13 AM - edited ‎03-18-2021 02:34 AM

Behavioral Protection also requires a CPU that supports the Supplemental Streaming
SIMD Extensions 3 (SSSE3) instruction set. See your CPU manufacturer’s
documentation for a list of processors that includes SSSE3. A signature set update failure with error code 50 will be in your Events list if the processor on a computer does not support SSSE3.

IMPORTANT! Some virtualization technologies, including Hyper-V and VMware, have
settings that can mask SSSE3 capabilities in the virtual machine even if the host CPU
supports them. See your virtual machine documentation to ensure these settings are
disabled to use Behavioral Protection.

 

(Above para is from " AMP for Endpoints User Guide")
)

 

https://en.wikipedia.org/wiki/SSSE3

 

I believe, it's about "either your CPU processor supports it or not". I don't think, we can do anything about it. I am not sure what changes can be done w.r.t CPU processors. By Disabling Behavioral Protection, we can get rid of the error but that's not a good idea.

 

You can download a tool CPU-Z (free download) on your system. Once you run it, it will show whether CPU supports it or not.

 

 
 

 

0 Helpful

Go to solution
aakash.verma@gus.global
Level 1
Level 1

‎01-30-2024 11:54 PM

I have this problem too.
But am facing the error code 52

0 Helpful
Customers Also Viewed These Support Documents