https://community.cisco.com/t5/endpoint-security/cisco-amp-issue-with-wscript-on-xenapp-servers/m-p/4263059#M5895 <P>So here is our situation.&nbsp; For years we have had a Virtual Printer on our Xenapp Servers, and worked no problem with Cisco Amp.&nbsp; When someone prints to this virtual printer, after printing is completed, a Batch File is called that has a wscript in it.</P><P>&nbsp;</P><P>What is happening, since December 8th, is that the Cisco Amp is reporting the wscript as an exploit prevention, which I understand why it would do it.</P><P>&nbsp;</P><P>Here's the thing - It does not do it for all users.&nbsp; Only a handful!</P><P>&nbsp;</P><P>If I stop the cisco amp service and have them do it again, they are fine and everything works.&nbsp; I then can turn back on the Cisco Amp service, and the user is fine for the rest of the day, even if they log off and back onto the citrix server.&nbsp; However, the next day, the same problem arises.&nbsp; This happens on all of our citrix servers (we have 6 of them load balanced).</P><P>&nbsp;</P><P>Any idea why this started on December 8th with no changes made to the policy or update to Cisco Amp, and, why is it only happening to a few users, and not all of them?</P><P>&nbsp;</P><P>Any help would be appreciated!</P> Wed, 23 Dec 2020 17:23:31 GMT BrianCaza84301 2020-12-23T17:23:31Z https://community.cisco.com/t5/endpoint-security/cisco-amp-issue-with-wscript-on-xenapp-servers/m-p/4263059#M5895 <P>So here is our situation.&nbsp; For years we have had a Virtual Printer on our Xenapp Servers, and worked no problem with Cisco Amp.&nbsp; When someone prints to this virtual printer, after printing is completed, a Batch File is called that has a wscript in it.</P><P>&nbsp;</P><P>What is happening, since December 8th, is that the Cisco Amp is reporting the wscript as an exploit prevention, which I understand why it would do it.</P><P>&nbsp;</P><P>Here's the thing - It does not do it for all users.&nbsp; Only a handful!</P><P>&nbsp;</P><P>If I stop the cisco amp service and have them do it again, they are fine and everything works.&nbsp; I then can turn back on the Cisco Amp service, and the user is fine for the rest of the day, even if they log off and back onto the citrix server.&nbsp; However, the next day, the same problem arises.&nbsp; This happens on all of our citrix servers (we have 6 of them load balanced).</P><P>&nbsp;</P><P>Any idea why this started on December 8th with no changes made to the policy or update to Cisco Amp, and, why is it only happening to a few users, and not all of them?</P><P>&nbsp;</P><P>Any help would be appreciated!</P> Wed, 23 Dec 2020 17:23:31 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-issue-with-wscript-on-xenapp-servers/m-p/4263059#M5895 BrianCaza84301 2020-12-23T17:23:31Z https://community.cisco.com/t5/endpoint-security/cisco-amp-issue-with-wscript-on-xenapp-servers/m-p/4266246#M5898 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1146876">@BrianCaza84301</a>,<BR />there was a new feature added to exPrev to protect the system against&nbsp;Script related attacks. i assume this new settings generates the events. You can disable this setting.</P> <P>Greetings,</P> <P>Thorsten</P> Mon, 04 Jan 2021 09:48:04 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-issue-with-wscript-on-xenapp-servers/m-p/4266246#M5898 Troja007 2021-01-04T09:48:04Z https://community.cisco.com/t5/endpoint-security/cisco-amp-issue-with-wscript-on-xenapp-servers/m-p/4266459#M5899 Can you please provide instructions as to where this can be disabled.....<BR /> Mon, 04 Jan 2021 14:57:48 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-issue-with-wscript-on-xenapp-servers/m-p/4266459#M5899 BrianCaza84301 2021-01-04T14:57:48Z