This document outlines compatibility details and product update information of AMP for Endpoints regarding the Microsoft Security Updates and Knowledge Base articles (KB4072699, KB4056892) released on January 3, 2018 to address the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754). This information is applicable to AMP for Endpoints Windows Connectors deployed on the public AMP Cloud and AMP Private Cloud environments.
This Microsoft Security Update comes with changes that may break compatibility with antivirus software. Microsoft has instituted a new requirement that security vendors validate compatibility with the security update before accepting the security update for installation.
With the complexity of the issue and number of vendors involved in the response, Cisco is providing the following guidance for customers to decide how to apply and upgrade their Cisco AMP for Endpoints software and underlying operating system. Customers must also review the applicability of any required hardware patches, which is not covered by this document.
The Cisco AMP for Endpoints engineering team has tested and verified compatibility with the following versions of the AMP for Endpoints software on the supported Microsoft operating systems.
Table 1 – Verified AMP for Endpoints Connector Versions
AMP Private Cloud
Cisco AMP for Endpoints v5.1.11
Public AMP Cloud
Cisco AMP for Endpoints v4.4.4
Cisco AMP for Endpoints v5.0.7
Cisco AMP for Endpoints v5.0.9
Cisco AMP for Endpoints v5.1.1
Cisco AMP for Endpoints v5.1.3
Cisco AMP for Endpoints v5.1.5
Cisco AMP for Endpoints v5.1.7
Cisco AMP for Endpoints v5.1.9
Cisco AMP for Endpoints v5.1.11
Cisco AMP for Endpoints v5.1.13
Cisco AMP for Endpoints v6.0.5
Table 2 – Verified Operating Systems
Microsoft Windows 7 SP1
Microsoft Windows 8.1
Microsoft Windows 10
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Note: Versions not listed are either no longer supported by the AMP for Endpoints Connector and/or not supported by Microsoft and the released Security Updates.
Complete resolution of the vulnerabilities may require hardware patches provided by each vendor. Cisco Engineering has validated on hardware from multiple hardware vendors, but you must validate for the specific hardware deployed within your environment.
Customers are required to upgrade to a version of the Cisco AMP for Endpoints Connector that has been tested and verified to be compatible with the Microsoft Security Update (see Table 1, Table 2). In addition, customers will need to manually set the required compatibility registry key detailed in Microsoft KB4056892 after verifying all third-party endpoint security software installed on the endpoint is compatible.
Once the compatibility registry key is set, the underlying operating system will allow the installation of the released Microsoft Security Updates.
Ensure the deployed Cisco AMP for Endpoints Windows Connectors are a compatible and verified version (see Table 1, Table 2)
Validate compatibility of all third-party endpoint security software installed on the endpoint
Set the required compatibility registry key to allow the Microsoft Security Update to be applied (KB4056892)
Thoroughly test the deployment on staging systems prior to deployment in production environments.
Research and test any patches required by your hardware vendor.
It is highly recommended customers validate and test in a staging environment with all endpoint security software deployed prior to setting the compatibility registry key in a production environment. Inadvertently setting the compatibility registry key on devices with third-party endpoint security software incompatible with the Microsoft Security Update may result in a Blue Screen of Death (BSOD).
Caveats and Considerations
Customers should be aware of the following:
Customers must validate compatibility of all endpoint security software installed in your environment prior to setting the compatibility registry key.
The registry key is not specific to Cisco AMP for Endpoints. Setting the compatibility registry key will allow the Microsoft Security Update to be applied without validation of additional third-party endpoint security software running on the device.
Devices may experience a BSOD if the registry key is set when incompatible third-party endpoint security software is deployed.
Full resolution of the vulnerabilities may require hardware patches released by each vendor. Testing in your environment should include software and hardware patches.
hi all i want to send the firepower user-ip-mapping informations as syslog to Palo Alto, and then we will use the syslog parser to get usernames in Palo Alto. how i send only user traffic or user activity logs as syslog on FMC or Sensor ?&...
Hello, Is there any way to increase the limit of 5 concurrent ssh sessions in a Cisco ASA ?I have tried increasing the quota-management session limit but still the ssh sessions are limited to 5. Thanks.
I understand the default setting for AMP4E for servers is without DFC and in audit mode and SP and exploit prevention turned on. How does that provide protection against buffer overflows etc targeted at the server ? A lot of times servers are e...
Recently lost the ability to SSH/ASDM into the active ASA - any suggestions ?CS-FW1/stby/sec# sho run | i sshaaa authentication ssh console LOCALno ssh stricthostkeycheckssh 10.50.0.0 255.255.0.0 insidessh timeout 30ssh key-exchange group dh-group1-sha1!C...
Keep seeing this in the Syslog for my Cisco ASA 5506-X: %ASA-2-106016: Deny IP spoof from (::) to XXXX::X:XXXX:d327 on interface inside_3. Repeats 3 times in a row at what seems to be random intervals. What does this mean? From what I unde...