Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Re: Resolving AMP for Endpoints TETRA Definition Issues

Your could change the resolution script like this:

 

    # remediation:
   
    $sfc = @(Get-ChildItem -Path "$env:ProgramFiles\Cisco\AMP" -Recurse -Include "sfc.exe")
    $sfc | foreach { .$($_.fullname) -k <YOUR PASSWORD> }
   
    $svc = Get-Service | Where-Object {$_.name -match "ciscoamp"}
    if ($svc.status -eq "running") {
        Stop-Service $svc -Force
    }

    Remove-Item "$env:ProgramFiles\Cisco\AMP\tetra\Plugins\*" -Force
    Remove-Item "$env:ProgramFiles\Cisco\AMP\update\Plugins\*" -Force
    Start-Service $svc

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

Same Problem

6261711391345530340.jpg

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

Trying to modify the provided script in the OP using the documentation here ( https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118588-technote-fireamp-00.html ) since we have connector protection enabled. Currently not working (access denied) but still trying.

Cisco Employee

Re: Resolving AMP for Endpoints TETRA Definition Issues

  1. Try this addition to the script to get it to disable the connector protection.
  2. :: START cmd.exe /c "cd C:\Program Files\Cisco\AMP\<version you're running > & sfc.exe -k <connector protection password>" 

    START cmd.exe /c "cd C:\Program Files\Cisco\AMP\5.1.13 & sfc.exe -k Cisco123456"
    timeout 10 > nul
    del "C:\Program Files\Cisco\AMP\tetra\Plugins\*" /q
    del "C:\Program Files\Cisco\AMP\update\Plugins\*" /q
    timeout 5 > nul
    wmic service where "name like 'CiscoAMP%%'" call startservice > nul
Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

That one solved the problem - thanks.

 

Uninstall.

Choose no - (all files including quarantined are deleted).

Reboot.

Download and install connector.

Highlighted
Cisco Employee

Re: Resolving AMP for Endpoints TETRA Definition Issues

Fixed my problem and the Window's security definition error, and the very slow response my PC was having.  All is well now thankfully.

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

It is not possible to delete definition files after stopping the Service.

Looks like the Kerneldriver is preventing changes in AMP-Directory

 

 

thanks Cisco for this great Product

 

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

I haven't encountered duplicates in AMP by using the 'say no'-solution.

 

Advise: Try a few machines and check AMP before continuing.

 

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

you are right

changed my reply

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

Are there any "Mass deployment" solution to this mess? this is really bad for a corporate environment to Uninstall the connector, Force a reboot, Install the connector and force another reboot..

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

Need a way to manage definitions through the console. Also need status information in the console on whether a connector is connected or not. Not really an enterprise solution with so little control over the endpoints. 

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

The delete_defs.bat script does not work for mass deployment purposes as it relies on manual elevation of the command prompt to delete the problematic files.

Alternatively, I'm unaware of a CLI parameter that can be set with the execution of the uninstall.exe executable in the local Cisco AMP version folder that would allow for the scripting of the AMP's uninstallation that includes removal of the definitions as well.

Cisco AMP customers need a better solution than has been provided to accommodate the large scope of machines that have been impacted. A manual machine-by-machine resolution is not optimal for companies managing hundreds or thousands of computers.

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

Can we get more details on this issue?  Are all versions of connector afffected?  What is the TETRA definition version number that is the issue?  Does the connector stop working completely until the fix is applied or does a reboot temporarily get it going again with the possibility of another crash? 
That information would greatly help us determine our exposure and assist in our remediation planning.

Community Member

Re: Resolving AMP for Endpoints TETRA Definition Issues

I would really like to get some explanation of the 0016 timestamp. Are you saying anything that has checked in from 0017 on is okay? Is it anything in a certain window?

Cisco Employee

Re: Resolving AMP for Endpoints TETRA Definition Issues

Rather than manually touching each endpoint, please remember you can push uninstalls and reinstalls via SCCM or any other deployment  tool using Command Line Switches. These are listed in the latest Deployment Strategy Guide on page 26.

 https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20Deployment%20Strategy.pdf

 

/remove 1       Uninstalls the Connector and removes all associated file

So you can use these commands:

<installer> /r /S /stopservicecoe 1 /remove 1

 <installer> /r /S /stopservicecoe 1 /remove 1 /uninstallpassword <INSERT YOUR PASSWORD>

 to remove the application. The <installer> should be the original installation file for the AMP for Endpoints Connector.

 

Todd

 

8344
Views
185
Helpful
47
Replies
CreatePlease to create content