cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
20160
Views
185
Helpful
47
Replies
aledipas
Cisco Employee

Resolving AMP for Endpoints TETRA Definition Issues

 

Hi Everyone,

 

Recently we were made aware of a TETRA AV definition update which caused the Windows AMP for

Endpoints service to crash. 

 

Note:  Customers who do NOT have TETRA enabled are not affected by this issue. 

 

While we have already removed the problematic definition set, which was available for ~30 minutes (see further notes below), affected systems will need to be fixed manually by uninstalling/re-installing the Connector (instructions below). Once the connector has been re-installed, a non-affected definition set will be downloaded and resolve the issue.

 

How to determine if you are impacted:

The issue causes the AMP for Endpoints service to crash or hang. The best way to determine if you have an affected system is to determine if any Connectors have been offline since the bad definition set was published.

 

To get the Last Seen Timestamp from the AMP Console, go to the Management tab and select Computers. From here you can download a CSV file using the "Export to CSV" option. The CSV will contain the Last Seen Timestamp. You can sort and filter on Connectors that have not been seen since 16:00 UTC February 06 2018 – these are likely Connectors that have been affected by this issue.

 

Resolution:

We urge all customers who are affected by this issue to open a TAC case immediately.

 

Resolving this issue does involve uninstalling and reinstalling the Connector.

 

Uninstall via Add/Remove Programs:

a) Uninstall the connector (choose "No" when asked if you plan to install the Connector again)
b) Re-install connector

 

Uninstall via Command Line:

<installer> /R /S /stopservicecoe 1 /remove 1

 

Uninstall via Command Line with Connector Protection Enabled:

<installer> /R /S /stopservicecoe 1 /remove 1 /uninstallpassword <INSERT YOUR PASSWORD>

 

Affected Software Versions:

All Windows Connector versions with TETRA enabled are affected on both 32bit and 64bit versions of Windows 7/8/10, Windows Server 2008R2 and Server 2012

 

Notes:

 

TETRA Definition Sets:

Faulty TETRA definition revision (16:20 UTC)

32bit = 101032, 64bit = 70876

 

Updated TETRA definition revision (16:50 UTC)

32bit = 101034, 64bit = 70878

 

A Root Cause Analysis (RCA) document will be prepared and shared with affected customers. 


 

 

47 REPLIES 47

I can't recommend it now after being forced to uninstall AMP from over 50 PCs in Safe Mode.

There were better options for resolution than needing to use safe mode. Using the steps outlined in one of my other posts, we were able to completely script and automate the repair process, requiring only a couple reboots.

 

Yes it was painful, but these kinds of things happen to all vendors. If I gave up a vendor for everything that inconvenienced me, let alone the number of times TAC hasn't been able to solve my problem, I would quickly limit my options and likely put myself out of a job.

meiercyrill
Beginner

We had connector protection enabled on every client. This resulted in beeing unable to uninstall the AMP Client without booting in Safe Mode.

 

Luckily we only had this issue in our company and not as a mannaged service for a customer.