Announcement

Collapse
No announcement yet.

Chrome (MSEdge) constant containment pop ups

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Chrome (MSEdge) constant containment pop ups

    Hi

    I have an issue with many users complaining about pop-ups with opening chrome or edge, the containment message pop-ups constantly for between 10 and 40 times or more in a row, click ignore does nothing, same as allow (needing my password).

    20210513_114750 (Small).jpg

    It is not on all systems, nor common to the one profile, it is over several customers and seems almost random.

    I have raised a second support ticket, but yet to get a response or a way to either disable the alerts or how to stop them from being contained when all status online have them as Trusted.

    There was a response to another ticket, go to chrome/flags manually and set 2 or 3 settings on each affected machine, not workable and not practical at all, and it did not work on a test machine.


    The issue is chrome wanting to run cmd.exe and being blocked.
    cmd.exe C:\WINDOWS\system32\cmd.exe F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D 34 Containment Policy chrome.exe Blocked Complete Trusted Trusted 2021/05/17 04:50:25 PM
    A sample on one system shows it being blocked - pop up generated a heap of times, in excess of 100 times per hour.

    My next step is to disable containment altogether, but what's the point in having a half working protection in place.

    Anyone have an idea of how to stop the pop-ups for my clients first, then how to either allow or fix the issues. ???

    I'm close to ditching the system and moving back to other vendors as this is causing far too many calls and requests from end-users.



    regards

    mcfproservices




  • #2
    Hi mcfproservices,

    Sorry for the trouble caused. We have created a support ticket to analyze and found from the CCS containment log that chrome.exe tries to start the plugin by starting cmd.exe and this action was blocked by CCS Containment predefined rule for the "Pseudo File Downloaders" filegroup:

    screenshot.png

    There is only one way to exclude such CCS block actions is to create Ignored Containment rule in order to allow Chrome.exe to start cmd.exe.

    Create Ignore rule with the following criteria
    Types: Files
    Target: C:\Windows\system32\cmd.exe

    Under Files Started by Processes:
    Types: Files
    Reputation: Trusted
    Path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Select checkbox "Limit number of parent processes number in the process chain to: 1

    Under File Rating: Trusted

    Please make sure the rule is moved Up to the top.

    vlc_A8Lcb6iriw.png

    Note: Option "Do NOT apply the selected action to child processes" should be checked necessarily. It will allow Chrome.exe to start cmd.exe, but processes created further by cmd.exe will be treated by CCS according to rules and not be just ignored.

    Please reach us if you still have any queries.

    Kind Regards,
    PremJK
    Last edited by PremJkumar; 05-17-2021, 03:09 PM.

    Comment


    • #3
      PremJkumar

      Thank you, that is exactly all I needed, how to deal with a (false/safe) issue, screenshots and clear instructions.

      I did get a response from the help desk, not sure what to make of it, however?

      I assume the rule above allows the process without any further issues, the help desk suppresses the actual alert but it still gets blocked or contained in the background, must slow down the system when doing this all the time?

      HELPDESK
      ************************************************** **************

      Hello,

      Please open Endpoint Manager -> Configuration Templates -> Profiles -> Click on the profile name which is assigned to the device generating this alert -> Containment -> Settings -> Enable the option 'Do not show privilege elevations alerts' and click 'Save' button.

      Please verify the status after 30 minutes and update us the result.

      Regards,

      (removed)

      ITarian Support
      ************************************************** *************

      Thankyou both for the response, rules seem the correct way to go moving forward.

      mcfproservices

      Comment

      Working...
      X