am new to the tool, am trying to find out which Engine from Cisco AMP is blocking the powershell.exe. we have a .vbs script which runs on every start up to set some printer preferences, which is failing obviously due to AMP and user could see an error every time he/she login. when i checked, its not only the script but poweshell.exe it self is blocked. and no specific error pointing to AMP in any logs. but all works well if stop the AMP service.
all I can see an error in windows logs "Faulting application name: conhost.exe, version: 10.0.19041.746"
Please suggest how i can dig in more or fix this.
We're having the same issue on one of our endpoints. It is also preventing Chrome from launching and the event viewer logs a similar error except the faulting module is chrome.exe (Chrome version 90). Powershell also cannot be launched, however I can still open a CMD prompt and enter PS within the CMD prompt. We've reinstalled the desktop connector on the machine, put AMP in audit mode, and even gone as far as reimaging the machine with no luck. The only workaround we know of is to either uninstall AMP from the machine or disable the service. The affected endpoint is running Windows 10 20H2 with the April cumulative update (19042.928).
I'm glad we aren't the only ones with this issue on our hands. Any insight would be greatly appreciated!
I am curious if you were ever able to determine what was causing this? I have just run into this issue with the first one of our clients, and it happens to be a newer HP G8 model endpoint that is running into an issue where Chrome and Powershell can't launch, and our Umbrella client doesn't connect properly on this endpoint. Wondering if this has to do with new HP Security bloatware causing issues, or if it ends up being something in AMP that needs adjusted.
Just let me know, when you get a chance.
Hello @Naresh Gokara,
Secure Endpoint includes two type of engines especially for Scripts.
Therefore, as a starting point, i would recommend to set Script Control to Audit Mode or to Disabled.
I believe the issue is with the older versions of Cisco AMP Endpoint Connector needs to be updated to the current version which in turn changes the name to Cisco Secure Endpoint. This has so far not impacted anyone who was lucky enough to have updated their Cisco AMP to the newest version. The April Security update from windows is what triggers this issue.