Known issues in the Windows agent Skip Navigation

Known issues in the
Windows
agent

On a device running
Windows
Server 2012 R2 and
CylancePROTECT Desktop
agent 3.1,
System32\wbem\WmiPrvSE.exe
is incorrectly reported as a threat. (EPP-3279)
Each time an executable that's in the exclusion list is run on a device, there are multiple redundant 'UNKNOWN_FILE' log entries associated with it. If the executable is used frequently, the log file size can grow quickly. (EPP-2828)
The script control policy for XLM macros is not enforced if the Excel Trust Center > Macros Settings is set to "Enable VBA macros". (EUS-1065)
Workaround
: Verify that one of the "Disable VBA macros" is selected.
If you plug in a UGREEN USB-C hub on a device that's running the
CylancePROTECT Desktop
agent with a device control policy, a blue screen error occurs. (EUS-934)
When the
Windows
8.3 short naming format of a process path is used to execute a file (e.g.
C:\PROGRA~1\folder\file.exe
) and the memory protection exclusions are defined using the long naming format for that process (e.g.
C:\Program Files\folder\file.exe
), the exclusions do not apply. (EUS-593)
Workaround
: Ensure that files are executed using the long path format. Note that adding exclusions using the
Windows
8.3 short naming format is not supported.
When trying to launch
Microsoft Visual Studio
2022, several System DLL Overwrite violations are reported and it is not launching as expected. (EPP-2312)
Workaround
: In the device policy, add an exclusion to ignore "System DLL Overwrite" violations for devenv.exe that is located in the installation folder of
Visual Studio
2022. For example, set the exclusion to ignore "System DLL Overwrite" violations at
\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\devenv.exe
.  The installation path may differ between editions and locales.
When adding a process exclusion to script control,
/[CySc_process]/
should automatically be added to the exclusion. When adding a process exclusion, make sure /
/[CySc_process]/
is added to the exclusion list. If it is not added, manually add it to the process exclusion. (CCC-3727)
If you assign a device policy with script control set to "Block" but allow PowerShell console usage, scripts run from the PowerShell console are blocked. (CHP-8409)
On the Script tab of the
Windows
agent, the command line display in the tooltip for a long PowerShell script shows duplicated and overwritten information. (CHP-8349)
In some
Windows
10 environments, when attempting to upgrade to the 1580 agent, the automatic uninstallation of the previous agent might not be successful. (CHP-8288)
Workaround:
Manually uninstall the previous agent and install the 1580 agent.
If the following conditions are met, 32-bit processes that do not have Program Control Flow Guard (CFG) enabled can stop responding:
  • Windows Defender is enabled, and the System Control flow guard (CFG) setting is set to
    on
    under System Settings (Start menu > Windows Security > App & browser control > Exploit protection settings > System settings).
  • CylancePROTECT
    agent 1580 is installed.
  • Memory Protection is enabled.
(CHP-8262)
Workaround
:
  1. Go to
    Start > Windows Security > App & browser control > Exploit protection settings > Program settings
    .
  2. Select the program that stopped responding and click
    Edit
    .
  3. Scroll to Control Flow Guard (CFG) for the program and select the
    Override system settings
    checkbox.
  4. Toggle the setting below the checkbox to
    On
    .
  5. Click
    Apply
    .
  6. Restart your computer.
The
Cylance
service may intermittently get stuck in a “StopPending” state when cycling between a stopped and running state. (CHP-7174)
When "System DLL Overwrite" is enabled in the memory protection policy, using AutoCad 2022 (S.51.0.0) and trying to log in to an AutoCad account triggers a memory protection event. (COM-3896)
Workaround
: Add a memory protection exclusion for AutoCad for the System DLL Overwrite violation type.
When the script control policy is enabled, launching the VisionApp Remote Desktop 2011 application results in an error. (MEM-830)
Workaround
: Enable memory protection and add an exclusion for the VisionApp executable (for example,
C:\Program Files (x86)\visionapp Remote Desktop 2011\vRD70.exe
).
When script control is set to "Block" and memory protection is set to "Terminate" in a device policy, Microsoft OneNote 2016 does not successfully load. (MEM-779)
Workaround
: In the script control settings for a device policy, allow the PowerShell console. Make sure the Block Powershell console usage feature is disabled.
For Windows 7 endpoints, if the memory protection policy is enabled and the "Remote Unmap of Memory process injection" setting is set to "Block", the parameters for the victim path and the image being unmapped are blank. This affects local and remote files. (MEM-747)
For known incompatibility issues with memory protection and script control with other products, see Known Memory Protection and Script Control Incompatibilities (KB 83016).
  • This article helps users prepare before enabling memory protection or script control in their policies. For users who already have these features enabled and are not experiencing any issues, they are not affected by these incompatibilities.
  • Cylance keeps track of these incompatibilities and attempts to resolve any issues whenever possible. The KB article includes a list of resolved issues and the related agent version
These conflicts are not unique to this release and do not solely depend on
CylancePROTECT
, as this may happen when any two applications monitor memory in the same way.