topic Re: Cisco Secure Endpoint 8.1.7 issue(s) in Endpoint Security

Cisco Secure Endpoint 8.1.7 issue(s)

John.Pitner — Wed, 19 Apr 2023 19:06:22 GMT

I deployed Cisco Secure Endpoint Windows Connector 8.1.7. Deploying it to our end users locked up Office, some browsers, and some shortcuts became unresponsive. After removal of 8.1.7 the issue went away. Reverting back 8.1.5

Anyone else having an issue with Cisco Secure Endpoint 8.1.7?

Re: Cisco Secure Endpoint 8.1.7 issue(s)

LudoD — Wed, 19 Apr 2023 19:14:16 GMT

Hi,

I have the exact same problem.
Do you have another antivirus installed on the computers ?

We are using FortiEDR (in test, simulation mode for the moment).
With Cisco 8.1.7 and FortiEDR enabed : Office, Chrome, MMC, others apps, don't response.
With Cisco 8.1.7 and FortiEDR disabled : all is OK.
With Cisco 8.1.5 and FortiEDR enabled : all is OK.

I'm uninstalling 8.1.7 and reinstalling 8.1.5

Re: Cisco Secure Endpoint 8.1.7 issue(s)

John.Pitner — Wed, 19 Apr 2023 19:29:20 GMT

We do have Cortex XDR 8.0.0 running on all our machines, but none of my previous deployments of Cisco Secure Endpoint have I ever had issues like this.

Re: Cisco Secure Endpoint 8.1.7 issue(s)

Marvin Rhoads — Wed, 19 Apr 2023 19:30:56 GMT

No problems with 8.1.7 on my windows 11 PC with Microsoft Defender also installed.

Have you created exclusions for FortiEDR?

"You must create exclusions for the connector in antivirus products running on your endpoints to prevent conflicts. Consult your antivirus software documentation for instructions on excluding files, directories, and processes from being scanned." (source: Secure Endpoint Deployment Strategy found at https://console.amp.cisco.com/docs)

Re: Cisco Secure Endpoint 8.1.7 issue(s)

Ken Stieers — Wed, 19 Apr 2023 19:32:27 GMT

We haven't seen anything like this on our test boxes yet...

Re: Cisco Secure Endpoint 8.1.7 issue(s)

LudoD — Wed, 19 Apr 2023 19:39:26 GMT

Basic Microsoft Defender or Defender for Endpoint ?

Yes, exclusions are created in FortiEDR for Cisco Secure Endpoint and in Cisco Secure Endpoint for FortiEDR 😉
All was working with 8.1.5 for months.
8.1.7 alone is OK
It's 8.1.7 and FortiEDR together that create bugs

Re: Cisco Secure Endpoint 8.1.7 issue(s)

Marvin Rhoads — Wed, 19 Apr 2023 19:43:17 GMT

Mine is running basic (free) Microsoft Defender.

Re: Cisco Secure Endpoint 8.1.7 issue(s)

LudoD — Wed, 19 Apr 2023 19:53:38 GMT

FortiEDR does not work like a traditional antivirus.
In very short, it is an antivirus that is based more on behaviors.
Cortex XDR (installed on John.Pitner computers) seems to do the same thing.
I feel like that's what's causing the concern.

Re: Cisco Secure Endpoint 8.1.7 issue(s)

Roman Valenta — Thu, 20 Apr 2023 18:08:49 GMT

HI Ludo,

Would be possible to try again with 8.1.7 and with Exploit Engine disabled in the test policy? And if this work can you turn it back on try create new exclusion for FortiEDR but as Exploit Prevention Exclusions (Application) and test it again?

The only difference as I find out between 8.1.5 vs 8.1.7 is the new version of the Exploit Prevention engine.

Configure and Identify Cisco Secure Endpoint Exclusions
https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

Re: Cisco Secure Endpoint 8.1.7 issue(s)

LudoD — Thu, 20 Apr 2023 19:51:58 GMT

Hi,

FortiEDR executables are already in exclusion list for Exploit Prevention (since we are testing FortiEDR).
I tested with my computer in a test policy with Exploit Prevention disabled and there is still the bug (when I click on Word icon, the software doesn't launch).

Re: Cisco Secure Endpoint 8.1.7 issue(s)

Roman Valenta — Fri, 21 Apr 2023 11:52:33 GMT

Ludo,

Thanks for confirmation. Would you mind open a TAC case in case you didn't already open one so we can look in to this? At minimum we would need Diagnostic Bundle in DEBUG while replicating the issue few times probably PROCMON and time stamps for the replication attempts so we can have rough estimate where to look in the PROCMON.

Re: Cisco Secure Endpoint 8.1.7 issue(s)

lnguyen@meriwest.com — Fri, 05 May 2023 16:53:16 GMT

we already have issue with 8.1.7 on 50+ Windows 10 machines. Had to rolled back to 8.1.5.

black screens, unable to boot, cscript.exe error loading application popup, and bunch of other weird issues. we had no free time to work with TAC to troubleshoot this. Figure this one out Cisco.