cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2801
Views
0
Helpful
11
Replies

Cisco Secure Endpoint 8.1.7 issue(s)

John.Pitner
Level 1
Level 1

I deployed Cisco Secure Endpoint Windows Connector 8.1.7. Deploying it to our end users locked up Office, some browsers, and some shortcuts became unresponsive. After removal of 8.1.7 the issue went away. Reverting back 8.1.5

Anyone else having an issue with Cisco Secure Endpoint 8.1.7?

11 Replies 11

LudoD
Level 1
Level 1

Hi,

I have the exact same problem.
Do you have another antivirus installed on the computers ?

We are using FortiEDR (in test, simulation mode for the moment).
With Cisco 8.1.7 and FortiEDR enabed : Office, Chrome, MMC, others apps, don't response.
With Cisco 8.1.7 and FortiEDR disabled : all is OK.
With Cisco 8.1.5 and FortiEDR enabled : all is OK.

I'm uninstalling 8.1.7 and reinstalling 8.1.5

No problems with 8.1.7 on my windows 11 PC with Microsoft Defender also installed.

Have you created exclusions for FortiEDR?

"You must create exclusions for the connector in antivirus products running on your endpoints to prevent conflicts. Consult your antivirus software documentation for instructions on excluding files, directories, and processes from being scanned." (source: Secure Endpoint Deployment Strategy found at https://console.amp.cisco.com/docs)

Basic Microsoft Defender or Defender for Endpoint ?

Yes, exclusions are created in FortiEDR for Cisco Secure Endpoint and in Cisco Secure Endpoint for FortiEDR
All was working with 8.1.5 for months.
8.1.7 alone is OK
It's 8.1.7 and FortiEDR together that create bugs

Mine is running basic (free) Microsoft Defender.

FortiEDR does not work like a traditional antivirus.
In very short, it is an antivirus that is based more on behaviors.
Cortex XDR (installed on John.Pitner computers) seems to do the same thing.
I feel like that's what's causing the concern.

HI Ludo,

Would be possible to try again with 8.1.7 and with Exploit Engine disabled in the test policy? And if this work can you turn it back on  try create new exclusion for FortiEDR but as Exploit Prevention Exclusions (Application) and test it again?

The only difference as I find out between 8.1.5 vs 8.1.7 is the new version of the Exploit Prevention engine.

Configure and Identify Cisco Secure Endpoint Exclusions
https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

 

 

 

Hi,

FortiEDR executables are already in exclusion list for Exploit Prevention (since we are testing FortiEDR).
I tested with my computer in a test policy with Exploit Prevention disabled and there is still the bug (when I click on Word icon, the software doesn't launch).

Ludo,

Thanks for confirmation. Would you mind open a TAC case in case you didn't already open one so we can look in to this? At minimum we would need Diagnostic Bundle in DEBUG while replicating the issue few times probably PROCMON and time stamps for the replication attempts so we can have rough estimate where to look in the PROCMON.

 

 

John.Pitner
Level 1
Level 1

We do have Cortex XDR 8.0.0 running on all our machines, but none of my previous deployments of Cisco Secure Endpoint have I ever had issues like this.

We haven't seen anything like this on our test boxes yet...

we already have issue with 8.1.7 on 50+ Windows 10 machines. Had to rolled back to 8.1.5.

black screens, unable to boot, cscript.exe error loading application popup, and bunch of other weird issues. we had no free time to work with TAC to troubleshoot this. Figure this one out Cisco.