cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3935
Views
0
Helpful
3
Replies

Cisco AMP4E blocking explorer.exe

sfismayilov
Level 1
Level 1

Hello.

Cisco AMP4E  blocking explorer.exe  (windows explorer. exe) and we get black screen. 

How to know why it's happened ?  Why AMP4E  can't get a handle on the process's executable
On Event details we get this information.  ( Now i use in audit mode for testing because i get black screen on protect mode.)

Detected but did not block (Audit mode)

Created by an unknown process. Could not get a handle on the process's executable.


File full path: C:\Windows\explorer.exe

File SHA-1: f7152a8cb963cefdfa65d35a3565c3549b223a26.

File MD5: a77d56422c38c1f8a00d95d2d5b1675e.

File size: 3904296 bytes.

File age: 0 seconds.

File signed by Microsoft Windows with certificate serial 330000017469de108b3765a8d7000000000174 from Microsoft Windows Production PCA 2011. Expired 20:23:35, Sat Aug 11 2018 UTC.

File cert MD5: 0cbcc628b4758f8db5b9048f5136a6c9.

File cert SHA-1: 419e77aed546a1a6cf4dc23c1f977542fe289cf7.

1 Accepted Solution

Accepted Solutions

UMontero
Cisco Employee
Cisco Employee

Hello,

 

Normally AMP would not block Explorer.exe, due to it is protected by Rail Guards, the fact that AMP is causing this issue points me to think that someone configured an Application blocking and added explorer.exe into it.

To determine if this is correct, I would go to the Audit Logs (Accounts - Audit Logs), filter by the Policy that is causing the issue and check the update events looking for a change on regards to Application Blocking.

View solution in original post

3 Replies 3

UMontero
Cisco Employee
Cisco Employee

Hello,

 

Normally AMP would not block Explorer.exe, due to it is protected by Rail Guards, the fact that AMP is causing this issue points me to think that someone configured an Application blocking and added explorer.exe into it.

To determine if this is correct, I would go to the Audit Logs (Accounts - Audit Logs), filter by the Policy that is causing the issue and check the update events looking for a change on regards to Application Blocking.

thanks for your reply.
we are in deploy phase. İ decided do it afresh and
i cleaned all block list and another lists. ( there are many people worked on this ).
i'll track all changes .
if it will appear again i'll reply

Got it,

 

I hope everything gets resolved, if you encounter any issue, don't hesitate to reply back.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: