Resolving AMP for Endpoints TETRA Definition Issues
Recently we were made aware of a TETRA AV definition update which caused the Windows AMP for
Endpoints service to crash.
Note: Customers who do NOT have TETRA enabled are not affected by this issue.
While we have already removed the problematic definition set, which was available for ~30 minutes (see further notes below), affected systems will need to be fixed manually by uninstalling/re-installing the Connector (instructions below). Once the connector has been re-installed, a non-affected definition set will be downloaded and resolve the issue.
How to determine if you are impacted:
The issue causes the AMP for Endpoints service to crash or hang. The best way to determine if you have an affected system is to determine if any Connectors have been offline since the bad definition set was published.
To get the Last Seen Timestamp from the AMP Console, go to the Management tab and select Computers. From here you can download a CSV file using the "Export to CSV" option. The CSV will contain the Last Seen Timestamp. You can sort and filter on Connectors that have not been seen since 16:00 UTC February 06 2018 – these are likely Connectors that have been affected by this issue.
We urge all customers who are affected by this issue to open a TAC case immediately.
Resolving this issue does involve uninstalling and reinstalling the Connector.
Uninstall via Add/Remove Programs:
a) Uninstall the connector (choose "No" when asked if you plan to install the Connector again) b) Re-install connector
Uninstall via Command Line:
<installer> /R /S /stopservicecoe 1 /remove 1
Uninstall via Command Line with Connector Protection Enabled:
There were better options for resolution than needing to use safe mode. Using the steps outlined in one of my other posts, we were able to completely script and automate the repair process, requiring only a couple reboots.
Yes it was painful, but these kinds of things happen to all vendors. If I gave up a vendor for everything that inconvenienced me, let alone the number of times TAC hasn't been able to solve my problem, I would quickly limit my options and likely put myself out of a job.
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...
I had in the past an issue when migrating Cisco Cloud Web Security to Cisco Umbrella for a Customer. The Cisco ASA Firewall blocks the DNScrypt provided by the Cisco Umbrella Virtual Appliance.The issue is solved by disabling DNS packet inspection between...
Network Security All-in-one Version 1.4: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security This book is written for Network engineers working in the Security field and to prepare the CCNP Security exam, it includes Cisco ASA Firewall, ASA with Fire...
This document describes how to configure the Cisco L3 devices to forward DHCPv6 information to ISE for profiling purpose. Note that although Cisco IOS doesn’t support DHCPv6 via device sensor it still sends IPv6 via RADIUS accounting which i...