cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31330
Views
30
Helpful
3
Comments
aledipas
Cisco Employee
Cisco Employee

Wednesday January 17, 2018

 

This document outlines compatibility details and product update information of AMP for Endpoints regarding the Microsoft Security Updates and Knowledge Base articles (KB4072699, KB4056892) released on January 3, 2018 to address the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754).  This information is applicable to AMP for Endpoints Windows Connectors deployed on the public AMP Cloud and AMP Private Cloud environments.

 

This Microsoft Security Update comes with changes that may break compatibility with antivirus software.  Microsoft has instituted a new requirement that security vendors validate compatibility with the security update before accepting the security update for installation.

 

With the complexity of the issue and number of vendors involved in the response, Cisco is providing the following guidance for customers to decide how to apply and upgrade their Cisco AMP for Endpoints software and underlying operating system.  Customers must also review the applicability of any required hardware patches, which is not covered by this document.

 

Version Compatibility

The Cisco AMP for Endpoints engineering team has tested and verified compatibility with the following versions of the AMP for Endpoints software on the supported Microsoft operating systems.

 

Table 1 – Verified AMP for Endpoints Connector Versions

AMP Private Cloud

Cisco AMP for Endpoints v5.1.11

Public AMP Cloud

Cisco AMP for Endpoints v4.4.4

Cisco AMP for Endpoints v5.0.7

Cisco AMP for Endpoints v5.0.9

Cisco AMP for Endpoints v5.1.1

Cisco AMP for Endpoints v5.1.3

Cisco AMP for Endpoints v5.1.5

Cisco AMP for Endpoints v5.1.7

Cisco AMP for Endpoints v5.1.9

Cisco AMP for Endpoints v5.1.11

Cisco AMP for Endpoints v5.1.13

Cisco AMP for Endpoints v6.0.5

 

Table 2 – Verified Operating Systems

Microsoft Windows 7 SP1

Microsoft Windows 8.1

Microsoft Windows 10

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2012

 

Note: Versions not listed are either no longer supported by the AMP for Endpoints Connector and/or not supported by Microsoft and the released Security Updates.

 

Complete resolution of the vulnerabilities may require hardware patches provided by each vendor.  Cisco Engineering has validated on hardware from multiple hardware vendors, but you must validate for the specific hardware deployed within your environment.

 

Customer Action

Customers are required to upgrade to a version of the Cisco AMP for Endpoints Connector that has been tested and verified to be compatible with the Microsoft Security Update (see Table 1, Table 2).  In addition, customers will need to manually set the required compatibility registry key detailed in Microsoft KB4056892 after verifying all third-party endpoint security software installed on the endpoint is compatible.

 

Once the compatibility registry key is set, the underlying operating system will allow the installation of the released Microsoft Security Updates.

 

Further information from Microsoft: Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software

 

Customer Responsibility

Cisco recommends the following:

  • Ensure the deployed Cisco AMP for Endpoints Windows Connectors are a compatible and verified version (see Table 1, Table 2)
  • Validate compatibility of all third-party endpoint security software installed on the endpoint
  • Set the required compatibility registry key to allow the Microsoft Security Update to be applied (KB4056892)
  • Thoroughly test the deployment on staging systems prior to deployment in production environments.
  • Research and test any patches required by your hardware vendor.

 

It is highly recommended customers validate and test in a staging environment with all endpoint security software deployed prior to setting the compatibility registry key in a production environment.  Inadvertently setting the compatibility registry key on devices with third-party endpoint security software incompatible with the Microsoft Security Update may result in a Blue Screen of Death (BSOD).

 

Caveats and Considerations

Customers should be aware of the following:

  • Customers must validate compatibility of all endpoint security software installed in your environment prior to setting the compatibility registry key.
  • The registry key is not specific to Cisco AMP for Endpoints. Setting the compatibility registry key will allow the Microsoft Security Update to be applied without validation of additional third-party endpoint security software running on the device.
  • Devices may experience a BSOD if the registry key is set when incompatible third-party endpoint security software is deployed.
  • Full resolution of the vulnerabilities may require hardware patches released by each vendor. Testing in your environment should include software and hardware patches.
  • This has been verified on a limited basis on systems with branch target injection (BTI).

 

Additional References

Talos Intelligence: Meltdown and Spectre

Microsoft KB4072699

Microsoft KB4056892

CVE-2017-5753

CVE-2017-5715

CVE-2017-5754

Project Zero: Reading privileged memory with a side-channel

 

This document will be updated with additional details as information is available and development continues.

 

Revision History:

2018-01-05.01 – Initial Release

2018-01-05.02 – Update to reflect details for AMP for Endpoints Windows Connectors.

2018-01-09.01 – Updated with AMP Private Cloud support details.

2018-01-10.01 – Updated cloud support and corrected OS version support to SP1 on Windows 7. Update additional references section.

2018-01-11.01 – Added Connector version support.

2018-01-15.01 – Added Connector version support.

2018-01-17.01 – Added Connector version support.

 

Comments
fmpacisco
Level 1
Level 1

For computers that haven't had the patch installed, will AMP for Endpoints protect from the Meltdown and Spectre Intel chip flaw?  

 

 

GreatSpider
Level 1
Level 1

fmpacisco,

 

Likely not: Look at the FAQ section here:

 

https://meltdownattack.com/


schuang
Cisco Employee
Cisco Employee
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: