cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6872
Views
40
Helpful
8
Replies

Unable to start Powershell or run any scripts due to AMP, all works well if I stop the AMP service.

Naresh Gokara
Beginner
Beginner

Hello,

 

am new to the tool, am trying to find out which Engine from Cisco AMP is blocking the powershell.exe. we have a .vbs script which runs on every start up to set some printer preferences, which is failing obviously due to AMP and user could see an error every time he/she login. when i checked, its not only the script but poweshell.exe it self is blocked. and no specific error pointing to AMP in any logs. but all works well if stop the AMP service. 

all I can see an error in windows logs "Faulting application name: conhost.exe, version: 10.0.19041.746"

 

Please suggest how i can dig in more or fix this.

 

Thank you,

NG

8 Replies 8

austincox1234
Beginner
Beginner

We're having the same issue on one of our endpoints. It is also preventing Chrome from launching and the event viewer logs a similar error except the faulting module is chrome.exe (Chrome version 90). Powershell also cannot be launched, however I can still open a CMD prompt and enter PS within the CMD prompt. We've reinstalled the desktop connector on the machine, put AMP in audit mode, and even gone as far as reimaging the machine with no luck. The only workaround we know of is to either uninstall AMP from the machine or disable the service. The affected endpoint is running Windows 10 20H2 with the April cumulative update (19042.928).

 

 

 

I'm glad we aren't the only ones with this issue on our hands. Any insight would be greatly appreciated!

Hello Austin,

 

I am curious if you were ever able to determine what was causing this? I have just run into this issue with the first one of our clients, and it happens to be a newer HP G8 model endpoint that is running into an issue where Chrome and Powershell can't launch, and our Umbrella client doesn't connect properly on this endpoint. Wondering if this has to do with new HP Security bloatware causing issues, or if it ends up being something in AMP that needs adjusted.

 

Just let me know, when you get a chance.

 

Thanks!

LuoJ
Beginner
Beginner

We're in the same boat aswell. We didn't experience this issue at all until recently and, so far, only on the new HP Zbook Firefly G8. Works perfectly fine on the organizations 800-900 earlier model computers.

Troja007
Cisco Employee
Cisco Employee

Hello @Naresh Gokara,
Secure Endpoint includes two type of engines especially for Scripts.

  • Script Protection: Secure Endpoint integrates into Microsoft AMSI and scans files executed by a Microsoft Script interpreter. A detection will result into a File Scan Event.
  • Ex-Ploit Prevention --> Script Control: This Exploit Prevention Engine extension interacts with some knwon Microsoft DLLs and blocks specific access. This extension, today, is a little bit to strict and will be improved in upcoming releases of the Secure Endpoint. powershell.exe is listed as a protected child process for the Exploit Prevention Extension. Take a look at the Enduser Guide, where all the processes are listed.

Therefore, as a starting point, i would recommend to set Script Control to Audit Mode or to Disabled.

Greetings,
Thorsten

 

Script_Control_Audit_Mode.png

Naresh Gokara
Beginner
Beginner

Hello @Troja007 , Thank you for your suggestion, but the first thing i tried is kept on the Engines in Audit mode, then added multiple exclusions, nothing seems working. Powershell and Chrome both have the same issue. 

 

Thank you,

NG

Hello,

can you share a screenshot of the Event please, so i can take a look? you can also send me a message.

Greetings,
Thorsten

Beats
Beginner
Beginner

Dell Latitude 5420's
Also show the same symptoms on 20H2 but not on 1909
powershell.exe unable to start correctly - But will run if started from a cmd prompt

 

Opyplex
Beginner
Beginner

I believe the issue is with the older versions of Cisco AMP Endpoint Connector needs to be updated to the current version which in turn changes the name to Cisco Secure Endpoint. This has so far not impacted anyone who was lucky enough to have updated their Cisco AMP to the newest version. The April Security update from windows is what triggers this issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers