Solved: Re: MX100 AMP Blocking Microsoft Update and Java Update - Page 3

enchesiah · ‎10-13-2017

We bought 2X MX100 Security Appliance (retail price at $4999 each + License ). Currently running at the latest Stable firmware 12.24 and It blocks all device from downloading windows update and Adobe update even thou I whitelist all known Microsoft update sites. Meraki solution

1) Disable Amp ( Risk of getting Malware )

2) Upgrade firmware to V14 BETA. ( Running critical production network on BETA Firmware? )

Anyone have better workaround please help !

Shanec1 · ‎10-17-2017

We to have issues with AMP on our MX100 for various downloads saying its network error etc. Not willing to go on betas on a production environment and i know turning off AMP will sort it but defeats the purpose of paying for the advanced licence.

enchesiah · ‎10-18-2017

We have the same issue. This seems to be a known problem with the MX100 only. I tried everything to find a workaround but no luck. Here is basically your option.

1) turn off AMP
2) upgrade to v13 firmware beta ( I did that on my environment with 500 users and multiple vpn etc and it works great so far.) worst case 1 click roll back to V12. I understand the word beta is scary but v13 already been around for a long time. V14 already available but Meraki support need to manually push it on their end. My suggestion is upgrade to V13 and keep your eye on it.

Sbadza1 · ‎12-05-2017

I'v been having same issue since 2016. A couple of our Meraki sites (MX64's) have reported file download failures when AMP is enabled. This issue manifest itself in a weird way, they work sometimes.

https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Advanced_Malware_Protection_(AMP)

This is a known issue with Cisco Meraki AMP, Sometimes files will change disposition based on new threat intelligence gained by the AMP cloud and sees clean files as Malicious, then blocked.

Per Meraki, most customers are experiencing similar issues and they are working on a permanent fix soon????

Since we don’t want to disabled AMP as a fix, here is a workaround;

Turning AMP off & on for 10 minutes and then whitelist the URL sometimes seems to do the trick.
In some instances, code upgrade to 13.25 beta firmware may resolve the issue, but I won’t recommend this, as they have not always worked for every MX and can cause other network issues (Verify with Meraki first).

c0sm0 · ‎05-23-2018

Yup seen this too. Meraki MX64 and 64W.

Solution is to add site to whitelist, turn off AMP - wait, turn on AMP - wait.

I whitelisted the following for Windows Updates..

microsoft.com

windowsupdate.com

Meraki filtering assumes all subdomains allowed as well on the above.

mw_awa · ‎10-18-2018

Thank you, just wanted to reply stating c0sm0's workaround fixes the issue. I'm running WSUS for domain joined machines, but some BYOD laptops on our wifi could not get windows updates over the internet. Running MX100 and MX64 on 13.3

StevenBosco · ‎01-17-2019

I just had a similar issue, and wanted to describe it for others' reference. All Windows 8 era machines (8, 8.1, WS2012, WS2012 R2) would not update and gave the error code 0x8024402F. This began seemingly sporadically in November of 2018, and audit logs did not show any system configuration changes around that time. The ultimate cause appeared to be AMP blocking Windows from downloading legitimate .cab files from Microsoft websites. In the Security Center event logs, no events were posted indicating that any blocking had occurred. After searching for other issues with our client machines or content filters, we were able to solve the problem very simply by merely disabling AMP and re-enabling it shortly thereafter. The updates started flowing again just fine after resetting AMP in this way, and we have not had any issues with downloading legitimate .cab or .diagcab files since. I'm not sure if there was some hang in the process that is supposed to be scanning .cab files or with the malware definitions in AMP, but toggling the enable configuration fixed the problem.

Nash · ‎01-17-2019

For this problem, the best solution is to install the 14.x beta firmware. It prevents AMP from getting "indigestion" and blocking downloads based on false positives.

My procedure is:

Restart AMP: disable it, save, wait for MX to update its config, then re-enable it.

Enable beta firmware under Network wide->General and schedule an update for maintenance window via Organization->Firmware Updates.

Windows 10 Client VPN scripts: Makes life better!