https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4118544#M5538 <P>Hello,</P> <P>&nbsp;</P> <P>Normally AMP would not block Explorer.exe, due to it is protected by Rail Guards, the fact that AMP is causing this issue points me to think that someone configured an Application blocking and added explorer.exe into it.</P> <P>To determine if this is correct, I would go to the Audit Logs (Accounts - Audit Logs), filter by the Policy that is causing the issue and check the update events looking for a change on regards to Application Blocking.</P> Tue, 14 Jul 2020 16:10:33 GMT UMontero 2020-07-14T16:10:33Z https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4118252#M5536 <P>Hello.</P><P>Cisco AMP4E&nbsp; blocking explorer.exe&nbsp; (windows explorer. exe) and we get black screen.&nbsp;</P><P>How to know why it's happened ?&nbsp; Why AMP4E&nbsp; can't<SPAN>&nbsp;</SPAN>get a handle on the process's executable<BR />On Event details we get this information.&nbsp; (&nbsp;Now i use in audit mode for testing because i get black screen on protect mode.)<BR /><BR /></P><P>Detected but did not block (Audit mode)</P><P>Created by an unknown process. Could<SPAN>&nbsp;</SPAN><SPAN class="warn">not</SPAN><SPAN>&nbsp;</SPAN>get a handle on the process's executable.</P><HR /><P>File full path:<SPAN>&nbsp;</SPAN><SPAN class="datum long_words">C:\Windows\explorer.exe</SPAN></P><P>File SHA-1:<SPAN>&nbsp;</SPAN><SPAN class="det_smaller datum">f7152a8cb963cefdfa65d35a3565c3549b223a26</SPAN>.</P><P>File MD5:<SPAN>&nbsp;</SPAN><SPAN class="det_smaller datum">a77d56422c38c1f8a00d95d2d5b1675e</SPAN>.</P><P>File size:<SPAN>&nbsp;</SPAN><SPAN class="datum">3904296 bytes</SPAN>.</P><P>File age:<SPAN>&nbsp;</SPAN><SPAN class="datum">0 seconds</SPAN>.</P><P>File signed by<SPAN>&nbsp;</SPAN><SPAN class="datum">Microsoft Windows</SPAN><SPAN>&nbsp;</SPAN>with certificate serial 330000017469de108b3765a8d7000000000174 from Microsoft Windows Production PCA 2011. Expired 20:23:35, Sat Aug 11 2018 UTC.</P><P>File cert MD5:<SPAN>&nbsp;</SPAN><SPAN class="det_smaller datum">0cbcc628b4758f8db5b9048f5136a6c9</SPAN>.</P><P>File cert SHA-1:<SPAN>&nbsp;</SPAN><SPAN class="det_smaller datum">419e77aed546a1a6cf4dc23c1f977542fe289cf7</SPAN>.</P> Tue, 14 Jul 2020 11:30:07 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4118252#M5536 sfismayilov 2020-07-14T11:30:07Z https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4118544#M5538 <P>Hello,</P> <P>&nbsp;</P> <P>Normally AMP would not block Explorer.exe, due to it is protected by Rail Guards, the fact that AMP is causing this issue points me to think that someone configured an Application blocking and added explorer.exe into it.</P> <P>To determine if this is correct, I would go to the Audit Logs (Accounts - Audit Logs), filter by the Policy that is causing the issue and check the update events looking for a change on regards to Application Blocking.</P> Tue, 14 Jul 2020 16:10:33 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4118544#M5538 UMontero 2020-07-14T16:10:33Z https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4118969#M5542 thanks for your reply.<BR />we are in deploy phase. İ decided do it afresh and<BR />i cleaned all block list and another lists. ( there are many people worked on this ).<BR />i'll track all changes .<BR />if it will appear again i'll reply Wed, 15 Jul 2020 07:48:06 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4118969#M5542 sfismayilov 2020-07-15T07:48:06Z https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4119320#M5548 <P>Got it,</P> <P>&nbsp;</P> <P>I hope everything gets resolved, if you encounter any issue, don't hesitate to reply back.</P> Wed, 15 Jul 2020 16:37:09 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp4e-blocking-explorer-exe/m-p/4119320#M5548 UMontero 2020-07-15T16:37:09Z