02-06-2018 12:11 PM - edited 03-08-2019 05:46 PM
Hi Everyone,
Recently we were made aware of a TETRA AV definition update which caused the Windows AMP for
Endpoints service to crash.
Note: Customers who do NOT have TETRA enabled are not affected by this issue.
While we have already removed the problematic definition set, which was available for ~30 minutes (see further notes below), affected systems will need to be fixed manually by uninstalling/re-installing the Connector (instructions below). Once the connector has been re-installed, a non-affected definition set will be downloaded and resolve the issue.
How to determine if you are impacted:
The issue causes the AMP for Endpoints service to crash or hang. The best way to determine if you have an affected system is to determine if any Connectors have been offline since the bad definition set was published.
To get the Last Seen Timestamp from the AMP Console, go to the Management tab and select Computers. From here you can download a CSV file using the "Export to CSV" option. The CSV will contain the Last Seen Timestamp. You can sort and filter on Connectors that have not been seen since 16:00 UTC February 06 2018 – these are likely Connectors that have been affected by this issue.
Resolution:
We urge all customers who are affected by this issue to open a TAC case immediately.
Resolving this issue does involve uninstalling and reinstalling the Connector.
Uninstall via Add/Remove Programs:
a) Uninstall the connector (choose "No" when asked if you plan to install the Connector again)
b) Re-install connector
Uninstall via Command Line:
<installer> /R /S /stopservicecoe 1 /remove 1
Uninstall via Command Line with Connector Protection Enabled:
<installer> /R /S /stopservicecoe 1 /remove 1 /uninstallpassword <INSERT YOUR PASSWORD>
Affected Software Versions:
All Windows Connector versions with TETRA enabled are affected on both 32bit and 64bit versions of Windows 7/8/10, Windows Server 2008R2 and Server 2012
Notes:
TETRA Definition Sets:
Faulty TETRA definition revision (16:20 UTC)
32bit = 101032, 64bit = 70876
Updated TETRA definition revision (16:50 UTC)
32bit = 101034, 64bit = 70878
A Root Cause Analysis (RCA) document will be prepared and shared with affected customers.
02-27-2018 08:39 AM
I can't recommend it now after being forced to uninstall AMP from over 50 PCs in Safe Mode.
02-27-2018 09:19 AM
There were better options for resolution than needing to use safe mode. Using the steps outlined in one of my other posts, we were able to completely script and automate the repair process, requiring only a couple reboots.
Yes it was painful, but these kinds of things happen to all vendors. If I gave up a vendor for everything that inconvenienced me, let alone the number of times TAC hasn't been able to solve my problem, I would quickly limit my options and likely put myself out of a job.
02-25-2018 10:49 PM
We had connector protection enabled on every client. This resulted in beeing unable to uninstall the AMP Client without booting in Safe Mode.
Luckily we only had this issue in our company and not as a mannaged service for a customer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide