Re: Cisco Secure Endpoint 8.1.7 issue(s)

John.Pitner · ‎04-19-2023

I deployed Cisco Secure Endpoint Windows Connector 8.1.7. Deploying it to our end users locked up Office, some browsers, and some shortcuts became unresponsive. After removal of 8.1.7 the issue went away. Reverting back 8.1.5

Anyone else having an issue with Cisco Secure Endpoint 8.1.7?

LudoD · ‎04-19-2023

Hi,

I have the exact same problem.
Do you have another antivirus installed on the computers ?

We are using FortiEDR (in test, simulation mode for the moment).
With Cisco 8.1.7 and FortiEDR enabed : Office, Chrome, MMC, others apps, don't response.
With Cisco 8.1.7 and FortiEDR disabled : all is OK.
With Cisco 8.1.5 and FortiEDR enabled : all is OK.

I'm uninstalling 8.1.7 and reinstalling 8.1.5

Marvin Rhoads · ‎04-19-2023

No problems with 8.1.7 on my windows 11 PC with Microsoft Defender also installed.

Have you created exclusions for FortiEDR?

"You must create exclusions for the connector in antivirus products running on your endpoints to prevent conflicts. Consult your antivirus software documentation for instructions on excluding files, directories, and processes from being scanned." (source: Secure Endpoint Deployment Strategy found at https://console.amp.cisco.com/docs)

LudoD · ‎04-19-2023

Basic Microsoft Defender or Defender for Endpoint ?

Yes, exclusions are created in FortiEDR for Cisco Secure Endpoint and in Cisco Secure Endpoint for FortiEDR
All was working with 8.1.5 for months.
8.1.7 alone is OK
It's 8.1.7 and FortiEDR together that create bugs

Marvin Rhoads · ‎04-19-2023

Mine is running basic (free) Microsoft Defender.

LudoD · ‎04-19-2023

FortiEDR does not work like a traditional antivirus.
In very short, it is an antivirus that is based more on behaviors.
Cortex XDR (installed on John.Pitner computers) seems to do the same thing.
I feel like that's what's causing the concern.

Roman Valenta · ‎04-20-2023

HI Ludo,

Would be possible to try again with 8.1.7 and with Exploit Engine disabled in the test policy? And if this work can you turn it back on try create new exclusion for FortiEDR but as Exploit Prevention Exclusions (Application) and test it again?

The only difference as I find out between 8.1.5 vs 8.1.7 is the new version of the Exploit Prevention engine.

Configure and Identify Cisco Secure Endpoint Exclusions
https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

LudoD · ‎04-20-2023

Hi,

FortiEDR executables are already in exclusion list for Exploit Prevention (since we are testing FortiEDR).
I tested with my computer in a test policy with Exploit Prevention disabled and there is still the bug (when I click on Word icon, the software doesn't launch).

Roman Valenta · ‎04-21-2023

Ludo,

Thanks for confirmation. Would you mind open a TAC case in case you didn't already open one so we can look in to this? At minimum we would need Diagnostic Bundle in DEBUG while replicating the issue few times probably PROCMON and time stamps for the replication attempts so we can have rough estimate where to look in the PROCMON.

John.Pitner · ‎04-19-2023

We do have Cortex XDR 8.0.0 running on all our machines, but none of my previous deployments of Cisco Secure Endpoint have I ever had issues like this.

Ken Stieers · ‎04-19-2023

We haven't seen anything like this on our test boxes yet...

lnguyen@meriwest.com · ‎05-05-2023

we already have issue with 8.1.7 on 50+ Windows 10 machines. Had to rolled back to 8.1.5.

black screens, unable to boot, cscript.exe error loading application popup, and bunch of other weird issues. we had no free time to work with TAC to troubleshoot this. Figure this one out Cisco.