Thats not strictly true is it! Though they will upgrade they will require a reboot of the client and the Endpoint will be unprotected until a reboot is taken. Fine if you have 2 Endpoints to take care of. Slightly more of a pain when you have 2000+!

Also there seems to be no way to upgrade using SCCM and when you do manage to get it to work there is no way of suppressing a reboot notification!

Cisco again acquire a product, re-brand it, sell it and have no clue about it! The reason I say this is because multiple times I have asked about the upgrade process and multiple times been told a reboot is not required!

This is an issue we're encountering as well. Right pain. 

We do it using SCCM . Its easy that way.

the only pain is it requires the endpoint to get rebooted , so we liaise it with Monthly patches .

Yea, we're using SCCM also. 

It's just a pain that we loose visability untill the reboot. 

Can't you just select "force reboot" and make the updates for times your users aren't in the office?  Users may not like the forced reboot but I bet most won't even notice.

Helloi @Infrastructure9,

you are right, an unprotected client state after an upgrade is a security risk!!

Development is aware of this, therefore, with new versions of AMP connector 7.x we will introduce Upgrades without Reboot.

Take a look to the upcoming Release notes for new connector versions.

Greetings,

Thorsten

AMP for Endpoints Windows Connector 7.0.5
New
• Endpoint Isolation is a feature that lets you block incoming and outgoing network
activity on a Windows computer to prevent threats such as data exfiltration and
malware propagation.
• System Process Protection notifications
• are less verbose. (CSCvn41948)
• are no longer sent when the process in question is excluded by process
exclusions. (CSCvo90440)
BugFixes/Enhancements:
• A failing System Process Protection rule no longer prevents the Self Protect
driver from starting.
• Endpoint indication of compromise (IOC) driver stops gracefully when
uninstalling Windows Connector.
• Upgraded curl version to fix an integer overflow vulnerability in NTLM password
authentication (CVE-2018-14618).
• Memory leak fixes and other stability improvements in the Self-Protect driver.
• Malicious Activity Protection engine no longer incorrectly detects Google
Chrome.
• Windows Connector gathers the BIOS serial number more reliably when it is
needed to detect hardware changes for registration with AMP Cloud.
• Windows Connector Crash is now handled by the Cisco Security Connector
Monitoring Service (CSCMS) Server.
• Fixed an issue where currently running rootkit scans continued to run after the
Connector service was stopped.
• Fixed incompatibility with Kaspersky Real-Time Engine.
• Improved stability of the Exploit Prevention engine.
• New certificate for the Early Launch Antimalware (ELAM) driver.
• Reduced false positives with the Malicious Activity Protection engine.
• Fixed issue where the support tool would sometimes fail to include all necessary
files.
• Fixed a crash on shutdown issue.
• Windows Connector support package is now a ZIP file instead of 7zip so that
Windows can natively unpack the support package.

No mention. When can we expect this so I can call off the security dogs? This is affecting us so much I am now pursing other an enterprise grade AV/Endpoint protection as AMP4E is still very immature 

Hello @Infrastructure9,

in the Beta phase we already tested the no reboot feature with connector version 7.0.3. 

For an official answer, the best way is to ask your Cisco representative. There will be no official statements here in the community. ;-)

Greetings,

Thorsten

Seems the latest version still requires the endpoint to be rebooted when upgrading from any previous. 

If you're upgrading from 7.0.5 to 7.1.1, you should not need a reboot.  If it is from anything further back, a reboot will still be required.  There may be some edge cases where 7.0.5 to 7.1.1 will require a reboot and if you happen to hit one of those, please open a TAC case and provide a diagnostic so we can attempt to remedy those in the future.

Thanks,
Matt

Hi Matthew,

Thanks for the reply!! If i upgrade from 6.3 to 7.1.5 , i would still need a reboot?

Hello Everyone,

So i have tried and used cisco AMP for some time now. it works fine on workstations and we do work with normal patch upgrade cycle so the reboot needed ( which is a pain) works ok with SCCM team update AMP with the patch upgrades.

Issue lies on server side where we still work on patch upgrades but we do have business complaining about high cpu etc. We have tried putting on exclusions but with thousands of applications and their upgrades, we are still not comfortable using it on our Server estate

Hi, We upgraded from 6 to 7.0.5 and needed reboot.

If we go from here to the latest, it should not ask for reboot? If yes, i will try it and and let people know.