topic Re: Secure Endpoint breaking Chrome after June Windows cumulative upda in Endpoint Security

Secure Endpoint breaking Chrome after June Windows cumulative updates?

ac513 — Wed, 14 Jun 2023 15:31:34 GMT

We deploy Secure Endpoint 8.1.7 to our few thousand devices, and we started getting a mountain of reports this morning that Google Chrome would not appear on the screen after attempting to open it. It's not 100% across the board, but it is a significant uptick in complaints that is getting attention from our unit.

With a little trial & error, I found that killing the Secure Endpoint service or uninstalling Secure Endpoint will allow Chrome to open again. However, nothing shows up as being blocked in the device trajectory in the Secure Endpoint console. Also, if we reinstall an older version 7 Secure Endpoint client, the issue not reproducible. Once we install 8.1.7 again, the issue returns and Chrome does not open.

Behind the scenes the Chrome executable is actually opening & gets listed in Task manager.. But the app window itself never appears.

I did see at least one other thread on this in Malwarebytes' forum -- https://forums.malwarebytes.com/topic/299100-june-2023-update-kb5027231-prevents-google-chrome-from-displaying

Anyone else seeing similar behavior today with Chrome not opening?

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

ac513 — Wed, 14 Jun 2023 19:30:23 GMT

Our test policy where we could reproduce this had the Exploit Prevention engine set to Audit. Once we set that to Disabled instead, the issue was no longer reproducible.

Once Exploit Prevention was set back to at least Audit, Chrome stopped working again.

So that engine seems to be at fault. Still working a TAC case at the moment.

I also noticed the following from the update's KB article. I wouldn't think any parts of Secure Endpoint are still 32-bit, so not sure if this is related or just coincidence.

This update addresses a known issue that affects 32-bit apps that are large address aware and use the CopyFile API. You might have issues when you save, copy, or attach files. If you use some commercial or enterprise security software that uses extended file attributes, this issue will likely affect you.

https://support.microsoft.com/en-us/topic/june-13-2023-kb5027231-os-build-22621-1848-8f903600-1293-4431-9c6b-736a4049666c

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

EdieDudley14020 — Thu, 15 Jun 2023 14:25:21 GMT

In the Malwarebytes forum, it mentioned making Chrome the default browser which worked. Isn't ideal but it will get us by until a fix is ready and better than uninstalling the KB or disabling Secure Endpoint Exploit Prevention. The problem only happened on Windows 11 devices.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

ac513 — Thu, 15 Jun 2023 16:27:52 GMT

Oddly enough, that is working for us too. Agreed that this is a far nicer workaround.

TAC gave a soft confirmation of the issue, stating that they're starting to correlate reports of this. They also had me test a fun theory -- If you rename the Chrome executable, it will actually work. Once it's renamed back to chrome.exe, the issue reproduces again.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

mski7861 — Thu, 15 Jun 2023 18:40:38 GMT

One of our clients rolled out KB5027231 to a bunch of machines and is reporting the same issue with Chrome not opening.

I agree that the recommendation to set chrome as the default browser is the simplest workaround and will test this theory.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

EdieDudley14020 — Thu, 15 Jun 2023 18:54:40 GMT

Interesting!

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

mski7861 — Fri, 16 Jun 2023 15:32:34 GMT

I also verified that setting Chrome as the default browser is a valid workaround.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

ac513 — Tue, 20 Jun 2023 22:37:15 GMT

At this point the issue is pretty clear and we're all waiting on Cisco, but I did want to share the following just for historical purposes.

Bug ID for this is now customer-visible: https://bst.cisco.com/bugsearch/bug/CSCwf66658

Also just got an email alert from our console:

Cisco Secure Endpoint Announcement - Chrome Launch Failure
Some users may encounter difficulties launching Google Chrome when the Exploit Prevention engine is enabled on Secure Endpoint Windows connectors because of two Microsoft updates (KB5027231 or KB5027223) for Windows 11.
There are currently three workarounds available for affected endpoints:
1. Make Google Chrome the default web browser.
2. Roll back the two Windows updates.
3. Disable the Exploit Prevention engine. Please note that doing this will affect your security posture.
We are currently investigating the issue further and will provide updates when available. If you require further assistance, please contact our support team.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

Ken Stieers — Tue, 20 Jun 2023 23:12:13 GMT

Or MS... since malwarebytes has same issue.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

Roman Valenta — Wed, 21 Jun 2023 14:33:15 GMT

Just another observation when it comes to rolling back the KB update.

One of the affected customer reported that rolling back the Windows patch on their end has caused a large amount of systems to go into recovery mode causing things such as bitlocker to need re-synced again. So I would not recommended to roll back on large deployment until further tested to avoid any issues like this.

What basically happened is a change introduced by Windows broke the functionality of Chrome w.r.t to ExPrev, issue was reported by already mentioned Malwarebytes also WatchGuard EDR have the same issue.

Our DEV team is already on that issue and as of right now the fix should be available in the upcoming 8.1.9 release. There is currently no set date but based on the trend and connector release history we should be expecting new connector release at the end of July.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

seal325 — Fri, 23 Jun 2023 01:04:22 GMT

Is there any ETA on the resolution for this issue?

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

Ken Stieers — Fri, 23 Jun 2023 01:16:21 GMT

Per the post just above yours in the community:

Our DEV team is already on that issue and as of right now the fix should be available in the upcoming 8.1.9 release. There is currently no set date but based on the trend and connector release history we should be expecting new connector release at the end of July.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

emmonsk — Fri, 23 Jun 2023 15:59:24 GMT

Is a fix only going to be available for version 8 or will there also be a fix for users of version 7?

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

mski7861 — Fri, 23 Jun 2023 16:36:08 GMT

From what I've seen, they only create fixes for the latest revision, they normally don't go backwards

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

Ken Stieers — Fri, 23 Jun 2023 16:42:21 GMT

I would say maybe. 7.x is still available to support older windows releases (eg Server 2012R2.) As those lose MS support, 7.x will go...

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

Roman Valenta — Fri, 23 Jun 2023 19:13:53 GMT

Good question, but from what we know this issue is affecting primarily Windows11. Windows11 is 64bit architecture so is 8.1.x connector release which is recommended to run on Windows11 anyway.

Although the legacy 7.5.x release is also supported based on the matrix on Wndows11, we don't know yet if the fix will be deployed due to different 7.5.x architecture. However we are currently working with Microsoft to determine if they can come up with fix on their end that can be implemented as well.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

marinogr — Fri, 30 Jun 2023 08:47:53 GMT

We have some custom app that are running very slowly on 8.1.x (unusable) compared to 7.5.x. It would be very appreciated or almost necessary to have a fix for 7.5.x.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

Roman Valenta — Fri, 30 Jun 2023 13:10:15 GMT

When you said slow and unusable, what version of 8.1.x did you run at that time. Only asking as we did have some performance issue in 8.1.x causing for some customers significant slow down due to Secure Endpoint UI "csc_ui.exe" . This issue was mitigated in the latest 8.1.7 release so If you didn't have chance to test this release I would highly suggest that.

On the other note we are currently in testing stage of new connector that have fix for this issue with the latest Windows 11 update and so far it seems that the issue was resolved and the fix will be shipped with the new connector release. For those that do have open TAC case please contact your TCE for further details.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

marinogr — Sat, 01 Jul 2023 09:22:09 GMT

The last one on 6.April.2023. I think that was 8.1.5.

I have to test it on 8.1.7 or better when new release for fix for CSCwf66658 come out. I have to involve other customer technical stuff and is not easy to test custom app.

Re: Secure Endpoint breaking Chrome after June Windows cumulative upda

Ken Stieers — Wed, 05 Jul 2023 14:17:05 GMT

In case you didn't see it yet, they released 8.1.7.21512 to fix this.

https://docs.amp.cisco.com/Release%20Notes.pdf