This document outlines compatibility details and product update information of AMP for Endpoints regarding the Microsoft Security Updates and Knowledge Base articles (KB4072699, KB4056892) released on January 3, 2018 to address the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754). This information is applicable to AMP for Endpoints Windows Connectors deployed on the public AMP Cloud and AMP Private Cloud environments.
This Microsoft Security Update comes with changes that may break compatibility with antivirus software. Microsoft has instituted a new requirement that security vendors validate compatibility with the security update before accepting the security update for installation.
With the complexity of the issue and number of vendors involved in the response, Cisco is providing the following guidance for customers to decide how to apply and upgrade their Cisco AMP for Endpoints software and underlying operating system. Customers must also review the applicability of any required hardware patches, which is not covered by this document.
The Cisco AMP for Endpoints engineering team has tested and verified compatibility with the following versions of the AMP for Endpoints software on the supported Microsoft operating systems.
Table 1 – Verified AMP for Endpoints Connector Versions
AMP Private Cloud
Cisco AMP for Endpoints v5.1.11
Public AMP Cloud
Cisco AMP for Endpoints v4.4.4
Cisco AMP for Endpoints v5.0.7
Cisco AMP for Endpoints v5.0.9
Cisco AMP for Endpoints v5.1.1
Cisco AMP for Endpoints v5.1.3
Cisco AMP for Endpoints v5.1.5
Cisco AMP for Endpoints v5.1.7
Cisco AMP for Endpoints v5.1.9
Cisco AMP for Endpoints v5.1.11
Cisco AMP for Endpoints v5.1.13
Cisco AMP for Endpoints v6.0.5
Table 2 – Verified Operating Systems
Microsoft Windows 7 SP1
Microsoft Windows 8.1
Microsoft Windows 10
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Note: Versions not listed are either no longer supported by the AMP for Endpoints Connector and/or not supported by Microsoft and the released Security Updates.
Complete resolution of the vulnerabilities may require hardware patches provided by each vendor. Cisco Engineering has validated on hardware from multiple hardware vendors, but you must validate for the specific hardware deployed within your environment.
Customers are required to upgrade to a version of the Cisco AMP for Endpoints Connector that has been tested and verified to be compatible with the Microsoft Security Update (see Table 1, Table 2). In addition, customers will need to manually set the required compatibility registry key detailed in Microsoft KB4056892 after verifying all third-party endpoint security software installed on the endpoint is compatible.
Once the compatibility registry key is set, the underlying operating system will allow the installation of the released Microsoft Security Updates.
Ensure the deployed Cisco AMP for Endpoints Windows Connectors are a compatible and verified version (see Table 1, Table 2)
Validate compatibility of all third-party endpoint security software installed on the endpoint
Set the required compatibility registry key to allow the Microsoft Security Update to be applied (KB4056892)
Thoroughly test the deployment on staging systems prior to deployment in production environments.
Research and test any patches required by your hardware vendor.
It is highly recommended customers validate and test in a staging environment with all endpoint security software deployed prior to setting the compatibility registry key in a production environment. Inadvertently setting the compatibility registry key on devices with third-party endpoint security software incompatible with the Microsoft Security Update may result in a Blue Screen of Death (BSOD).
Caveats and Considerations
Customers should be aware of the following:
Customers must validate compatibility of all endpoint security software installed in your environment prior to setting the compatibility registry key.
The registry key is not specific to Cisco AMP for Endpoints. Setting the compatibility registry key will allow the Microsoft Security Update to be applied without validation of additional third-party endpoint security software running on the device.
Devices may experience a BSOD if the registry key is set when incompatible third-party endpoint security software is deployed.
Full resolution of the vulnerabilities may require hardware patches released by each vendor. Testing in your environment should include software and hardware patches.
I need to run OSPF over site-to-site IPsec tunnel on ASA.
basically I have HQ, and 3 branches that need to be connected to the HQ via site-to-site and most importantly to run OSPF over the IPsec tunnel instead of default route.
I need advise, I'm in a project where I have to replace a pulsesecure platform with two firepowers 2110 and an ISE controller. At first it didn't seem very dificult but when I started looking closely at the Pulsesecure policy I noticed that they ...
I have a client at 10.81.113.11 that needs to access 172.16.3.2 over a site to site vpn tunnel...
I can ping 172.16.3.2 from this client 10.81.113.11 AND I can RDP to it....but I am wondering why its not showing up in the sa??
ASA-01# show c...
I have 3 users (that have reported the issue at least) that are periodically being blocked by NAC due to the Windows Firewall check failing. The Windows Firewall is in fact enabled and running because it's being managed by Grou...