Secure Endpoint Component Download Failure

jbates5873 · ‎02-13-2022

Hi all,

We are an MSSP that has Secure Endpoint deployed across many systems for multiple customers.

over the last week or 2, we have noticed a SUBSTANTIAL up tick in events relating to Component Download Failure.

These events are coming from all customers and most endpoints throughout our entire deployment. Initially we suspected it to be a glitch or something but this has been happening consistently for our entire deployed fleet over the last week at least, possibly even 2 weeks.

Also, noting this bug report i have discovered https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw67151?rfs=iqvred , however, all of our connector versions are >7.4.3 and the bug report has the fix marked in version 7.4.1. So that should not be the issue.

Just wondering if its just us, or has anyone else noticed this? For reference we are on APJC cloud, as are all customers. I recently discovered an issue in the connector software where it would not update the policies due to cisco not including a certificate in them when they updated. I wonder if this might be related to that?

Thought i would start here before lodging a TAC case and going through all that and them wanting a debug log for an error that we cant seem to systematically reproduce on demand (however, if it can be, please let me know).

Shinku · ‎01-19-2024

Did you ever find a fix for this? I am running 8.1.7 and still seeing this problem on a lot of machines.

Roman Valenta · ‎01-20-2024

As you already know Component Download Fail is related to failing definition download for one of ours SE Engines to be more specific this error is related to BP (Behavioral Protection). There can be several issues that can cause this if this is something that you see in your portal and will not clear out on its own. With out diagnostic bundle its hard to tell, but there is one that has been around which is related to old and unsupported way of connector update.

On older systems that has been in service for a while and with updates pushed through SCCM or any other 3rd party automation along with using command line switch overridepolicy 0 you will for sure face this issue.

This is due to overridepolicy 0 flag which back in the days allowed business with hundreds different policies to update with single installer. With this flag you bypassing certain files from overriding which was OK back in the days with single certification dependency. Since then and based on continuous demand to harden our product that changed and now we have secondary cert dependencies and here is where things are getting broken. With the overridepolicy 0 flag you are not allowing certain certificates to update making those obsolete and no longer valid.

If you do using this flag and facing this issue you can verify this by opening local.xml and extracting the certificate that you will find inside. Just simply copy the entire certificate including

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

paste in text editor and save it with .crt extension. Then open with crypto shell which is built in to the windows.

If you see your cert looks like those on this picture highlighted in red which are missing .amp extension in the Issued to: filed and are valid for 10yrs then you are using the old outdated and no longer valid certificate.

Example: The one in red are updates deployed with overridepolicy 0 the rest are just updates through policy update or fresh install. Please note that initial fresh deployments are OK and you can still use your preferred automation tool however updates should always be done via secure endpoint console.

If this is your issue, your only option now is completely uninstall secure endpoint and deploy fresh new install on the affected endpoint(s)

If yours looks similar to those highlighted in green, yellow or blue those are the newer certificates formats that are used now. If you see the newer format then the issue must be somewhere else and in that case please open a TAC case so we can look in to the issue.

Hope this help...

Cheers Roman