04-27-2021 11:58 PM
am new to the tool, am trying to find out which Engine from Cisco AMP is blocking the powershell.exe. we have a .vbs script which runs on every start up to set some printer preferences, which is failing obviously due to AMP and user could see an error every time he/she login. when i checked, its not only the script but poweshell.exe it self is blocked. and no specific error pointing to AMP in any logs. but all works well if stop the AMP service.
all I can see an error in windows logs "Faulting application name: conhost.exe, version: 10.0.19041.746"
Please suggest how i can dig in more or fix this.
04-28-2021 08:05 PM - edited 04-28-2021 08:07 PM
We're having the same issue on one of our endpoints. It is also preventing Chrome from launching and the event viewer logs a similar error except the faulting module is chrome.exe (Chrome version 90). Powershell also cannot be launched, however I can still open a CMD prompt and enter PS within the CMD prompt. We've reinstalled the desktop connector on the machine, put AMP in audit mode, and even gone as far as reimaging the machine with no luck. The only workaround we know of is to either uninstall AMP from the machine or disable the service. The affected endpoint is running Windows 10 20H2 with the April cumulative update (19042.928).
I'm glad we aren't the only ones with this issue on our hands. Any insight would be greatly appreciated!
07-08-2021 08:42 AM
I am curious if you were ever able to determine what was causing this? I have just run into this issue with the first one of our clients, and it happens to be a newer HP G8 model endpoint that is running into an issue where Chrome and Powershell can't launch, and our Umbrella client doesn't connect properly on this endpoint. Wondering if this has to do with new HP Security bloatware causing issues, or if it ends up being something in AMP that needs adjusted.
Just let me know, when you get a chance.
05-02-2021 11:38 PM
We're in the same boat aswell. We didn't experience this issue at all until recently and, so far, only on the new HP Zbook Firefly G8. Works perfectly fine on the organizations 800-900 earlier model computers.
05-06-2021 01:38 AM - edited 05-06-2021 01:44 AM
Hello @Naresh Gokara,
Secure Endpoint includes two type of engines especially for Scripts.
Therefore, as a starting point, i would recommend to set Script Control to Audit Mode or to Disabled.
05-06-2021 11:48 PM
Hello @Troja007 , Thank you for your suggestion, but the first thing i tried is kept on the Engines in Audit mode, then added multiple exclusions, nothing seems working. Powershell and Chrome both have the same issue.
05-11-2021 10:06 AM
can you share a screenshot of the Event please, so i can take a look? you can also send me a message.
07-16-2021 08:53 AM
Dell Latitude 5420's
Also show the same symptoms on 20H2 but not on 1909
powershell.exe unable to start correctly - But will run if started from a cmd prompt
04-27-2022 02:46 PM - edited 04-27-2022 02:48 PM
I believe the issue is with the older versions of Cisco AMP Endpoint Connector needs to be updated to the current version which in turn changes the name to Cisco Secure Endpoint. This has so far not impacted anyone who was lucky enough to have updated their Cisco AMP to the newest version. The April Security update from windows is what triggers this issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: