07-14-2020 12:51 AM - edited 07-14-2020 04:30 AM
Hello.
Cisco AMP4E blocking explorer.exe (windows explorer. exe) and we get black screen.
How to know why it's happened ? Why AMP4E can't get a handle on the process's executable
On Event details we get this information. ( Now i use in audit mode for testing because i get black screen on protect mode.)
Detected but did not block (Audit mode)
Created by an unknown process. Could not get a handle on the process's executable.
File full path: C:\Windows\explorer.exe
File SHA-1: f7152a8cb963cefdfa65d35a3565c3549b223a26.
File MD5: a77d56422c38c1f8a00d95d2d5b1675e.
File size: 3904296 bytes.
File age: 0 seconds.
File signed by Microsoft Windows with certificate serial 330000017469de108b3765a8d7000000000174 from Microsoft Windows Production PCA 2011. Expired 20:23:35, Sat Aug 11 2018 UTC.
File cert MD5: 0cbcc628b4758f8db5b9048f5136a6c9.
File cert SHA-1: 419e77aed546a1a6cf4dc23c1f977542fe289cf7.
Solved! Go to Solution.
07-14-2020 09:10 AM
Hello,
Normally AMP would not block Explorer.exe, due to it is protected by Rail Guards, the fact that AMP is causing this issue points me to think that someone configured an Application blocking and added explorer.exe into it.
To determine if this is correct, I would go to the Audit Logs (Accounts - Audit Logs), filter by the Policy that is causing the issue and check the update events looking for a change on regards to Application Blocking.
07-14-2020 09:10 AM
Hello,
Normally AMP would not block Explorer.exe, due to it is protected by Rail Guards, the fact that AMP is causing this issue points me to think that someone configured an Application blocking and added explorer.exe into it.
To determine if this is correct, I would go to the Audit Logs (Accounts - Audit Logs), filter by the Policy that is causing the issue and check the update events looking for a change on regards to Application Blocking.
07-15-2020 12:48 AM
07-15-2020 09:37 AM
Got it,
I hope everything gets resolved, if you encounter any issue, don't hesitate to reply back.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: