Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1572
Views
30
Helpful
2
Replies

Secure Endpoints werfault.exe medtronics

cam.johnson
Level 1
Level 1

‎03-01-2022 02:34 PM

Greetings,

 

Seeing odd behavior where an application runs fine when AMP is disabled but errors when AMP is turned on.  Folders/file/etc. have been whitelisted and AMP dashboard shows no indication it's blocking or otherwise considers the file bad.  Trajectory shows the exe that's launched heading over to c:\windows\system32\werfault.exe.  The output of that shows nothing helpful from what I can see.

 

How do you go about resolving an issue where it appears AMP is causing an issue but not via a block/quarantine, etc?  AMP actually shows the disposition as allowed for the exe.

 

Uploader from: https://carelink.medtronic.com/  

 

Connector Version 7.4.3.20679

Operating System  Windows 10 Enterprise

Labels:
2 Replies 2

johnosn
Level 1
Level 1

‎03-02-2022 01:59 PM - edited ‎03-02-2022 02:06 PM

I am not sure what Medtronic applications you are running, but you could start with excluding "Microsoft SQL Server" from the "Cisco-Maintained Exclusions" list along with the following.

 

Path Exclusions
C:\inetpub\wwwroot\Paceart.Services.Hosting\
CSIDL_PROGRAM_FILESX86\Medtronic\Paceart Data Transformation Engine\
CSIDL_PROGRAM_FILES\Corepoint Health\
CSIDL_SYSTEM\inetsrv\
CSIDL_SYSTEM\msmq\storage\


Keep in mind that the path exclusions above do not apply when an executable in the folder is run as a process. You also may need to exclude the process. See Appendix-E: Exclusions in depth for more information.

 

Process (File Scan) Exclusions with child processes
CSIDL_PROGRAM_FILESX86\Medtronic\Connected Systems Gateway\GatewayService.exe
CSIDL_PROGRAM_FILES\Corepoint Health\Corepoint Integration Engine\NIMonSvc.exe
CSIDL_PROGRAM_FILES\Corepoint Health\Corepoint Integration Engine\NISVC.exe
CSIDL_PROGRAM_FILES\Corepoint Health\Shared Components\NICfgSvc.exe
CSIDL_SYSTEM\inetsrv\w3wp.exe

 

Otherwise enable debug logging for the system in the Secure Endpoint console and collect the diagnostics logs via Collection of Diagnostic Data from a AMP for Endpoints Connector Running on Windows. You can then review those logs along with the logs from "C:\Windows\Minidump\*.dmp" if there are any to determine what is going on yourself, or to send to TAC.

cam.johnson
Level 1
Level 1
In response to johnosn

‎03-07-2022 07:18 AM - edited ‎03-07-2022 08:31 AM

I ended up opening a ticket with TAC and received a pretty thorough response which included the following:

 

"I have worked on a similar case previously and the Exploit Prevention engine was preventing the application from working correctly. The exclusions you have made will not work because the exclusions need to be made against the Exploit Prevention engine, which is not an option for you to select and would need to be implemented by Cisco."

 

A test policy was provided and worked.  Now I'm just waiting for support to implement the change in production.

Customers Also Viewed These Support Documents