Resolving AMP for Endpoints TETRA Definition Issues
Recently we were made aware of a TETRA AV definition update which caused the Windows AMP for
Endpoints service to crash.
Note: Customers who do NOT have TETRA enabled are not affected by this issue.
While we have already removed the problematic definition set, which was available for ~30 minutes (see further notes below), affected systems will need to be fixed manually by uninstalling/re-installing the Connector (instructions below). Once the connector has been re-installed, a non-affected definition set will be downloaded and resolve the issue.
How to determine if you are impacted:
The issue causes the AMP for Endpoints service to crash or hang. The best way to determine if you have an affected system is to determine if any Connectors have been offline since the bad definition set was published.
To get the Last Seen Timestamp from the AMP Console, go to the Management tab and select Computers. From here you can download a CSV file using the "Export to CSV" option. The CSV will contain the Last Seen Timestamp. You can sort and filter on Connectors that have not been seen since 16:00 UTC February 06 2018 – these are likely Connectors that have been affected by this issue.
We urge all customers who are affected by this issue to open a TAC case immediately.
Resolving this issue does involve uninstalling and reinstalling the Connector.
Uninstall via Add/Remove Programs:
a) Uninstall the connector (choose "No" when asked if you plan to install the Connector again) b) Re-install connector
Uninstall via Command Line:
<installer> /R /S /stopservicecoe 1 /remove 1
Uninstall via Command Line with Connector Protection Enabled:
There were better options for resolution than needing to use safe mode. Using the steps outlined in one of my other posts, we were able to completely script and automate the repair process, requiring only a couple reboots.
Yes it was painful, but these kinds of things happen to all vendors. If I gave up a vendor for everything that inconvenienced me, let alone the number of times TAC hasn't been able to solve my problem, I would quickly limit my options and likely put myself out of a job.
ISE 3.0 with patch level 3, licenses are showing as "Released for Entitlement" for all term based licenses. This is because of a bug CSCvz33870.I have tried all possibilities, including renewing registration, de registering, resetting, and updating from I...
This month, we're excited to bring awareness to a newly formed partnership between Cisco Secure and IBM.
Securing today's dynamic enterprise applications is critical. With hybrid and multi-cloud adoption, traditional network-based security ran into limita...
Listen: https://smarturl.it/CCRS8E42Follow us: twitter.com/CiscoChampion
APIClarity is an open source, cloud-native visibility tool for APIs. It utilizes a Service Mesh framework to capture and analyze API traffic and identify potential risks.
Hello everyone, A new video in the Cisco Secure Terraform Series has just been published. If you are interested in Infrastructure as Code, and Terraform, you don't want to miss out on this amazing series with Jason "Canadian Bacon" Maynard! Newe...
Whitepaper - Configuring IPsec IKEv2 Remote Access VPN with Cisco Secure Firewall
Abstract / Introduction
There has been recent guidance from the United States National Security Agency (NSA...