Thanks for the advice! I'll have to get the client back on my devices and wait some number of days, and get others to try this out as we get new reports.

Just heard back from a few test cases, and they claim that the slowdowns stopped as soon as the systray menu was closed out. Will have to add that exclusion next and see if it continues to help.

That's... a wildly problematic bug it sounds like. Surely this is a known bug and Cisco is working on it? (or at least I hope so, considering this suggestion was at the ready)

Yes we are currently actively working on this issue but so far we have very limited data collected as this issue seems to be sporadic and triggered differently. For example in your case you reported it takes couple days to get to that state,  some customers reported they can get to that state in few hours and we also have customers that have no issue at all.

If the exploit prevention exclusion will not work for you I would suggest keep the UI disabled in the policy to prevent this issue. You can also open TAC case and get update through the case notes or stay put and I will update this thread as soon as I hear back about any new progress on this issue.

Hi,

Same problem here.

Try the exclusion but do not work on long term.
Just close the UI on a computer with the problem (and the exclusion), it solves the problem instantly.

I suppose the user haven't notifications when UI is closed...

Kind regards,
Ludo

Correct, NO UI = Notification.

BTW: Lots of customers have the notification disabled anyway to not disturbed the end user.

Now as far for the latest, we have so far great success with several customers where we implemented exclusion to Script Control via back end as that's the only solution for Script Control. And based on those test it seems that Script Control which is separate from Exploit Prevention causing this. If things goes well we should have global fix released with in a week. Again there is no set date on this and once I gain more inlet I will update this thread.

If you like to test this out you can try disable Script Control on small test group of computers to see the difference.

PS: Once the policy synchronize make sure to either restart the Secure Client or reboot the endpoint for the changes to take effect.

---

If you like to test this out you can try disable Script Control on small test group of computers to see the difference.

Would it need to be literally set to Disabled, or would Audit also provide the same results in a test case? (if unknown, that's fine)

Also as a heads up to everyone -- The Windows default Cisco-managed exclusions will be updated tomorrow as well. They include the system tray, plus a few extra things.

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214809-cisco-maintained-exclusion-list-changes.html

• C:\Windows\System32\omadmclient.exe
• .automaticDestinations-ms
• csc_ui.exe for Exploit Prevention

Lastly, had one very weird symptom. Using 8.1.3 and all scanning modes set to Audit, I noticed that Secure Endpoint was keeping a hold onto M365 Apps for enterprise. I was trying to manually update the package, and it kept saying "apps can't close". Removed Secure Endpoint, and it kicked right through and updated. Closing the systray menu did nothing for this one. First I've seen that, and I don't know if the above exclusions will account for this.

At this point I would suggest to open TAC case as we will need to investigate this further and gather some additional logs. Diagnostic Bundle will be one of them, but there will be some Windows Internal Tools that we need to run as well to get idea what is going with the operating system. Procmon, RAMMap, vmmap will be one of those tools that we will need to utilize to gather more Intel on this.

I've opened a TAC case. Right now they're just looking at DART bundles for individual devices, not sure if our case is being linked up with others' in regards to this issue.

Has there been any other updates you can share from the engineering team? I see the ExPrev/Script Control global exclusions for csc_ui.exe were stated to be "one of the possible reasons", so are there other pieces still being actively investigated for this issue? Anything we can look at and try to rule out? (If you're able to divulge that info, that is)

Yes this will actually be investigated individually case by case. Majority customers with this issue reported that after we apply the fix globally their issue was mitigated. In such a cases like yours we will keep investigate and we will collect some additional information including recording of the issue for our DEV team. Also, I did found your case and already spoke with the engineer assigned to your case what will be the next steps. Thank you for you patience.

Appreciate that! Still running 3 test scenarios to report back in our TAC case, but for anyone else following this thread/situation and was curious, here's some smoking guns I've found:

1) The slowdowns are reproducible on a Win11 22H2 machine of mine at home, with nothing of significance installed/running on it in the background. Based on this, I'd feel confident in saying the slowdowns are not an interaction between Secure Endpoint and any of our organization's configurations, deployed apps, policies, etc.

2) On my primary company machine where this has been reproducible, the issue goes away entirely when moving it to a policy with the Secure Client UI disabled and all other settings matching our usual production policy.

So the issue is ongoing, and this pretty much solidifies the Secure Client UI (csc_ui.exe) being the common denominator to me. (I know previously in this thread, it was stated to be "suspected") Now the exact root cause, who knows...

Here's hoping a new client release may be on the horizon with some improvements. I was watching our console like a hawk, and noticed a version 8.1.5 client become available for our policies. However, it disappeared less than an hour later and never came back. Not sure if this was a glitch in automation, or if a planned release was delayed at the last minute?