Hi
I have an issue with many users complaining about pop-ups with opening chrome or edge, the containment message pop-ups constantly for between 10 and 40 times or more in a row, click ignore does nothing, same as allow (needing my password).
It is not on all systems, nor common to the one profile, it is over several customers and seems almost random.
I have raised a second support ticket, but yet to get a response or a way to either disable the alerts or how to stop them from being contained when all status online have them as Trusted.
There was a response to another ticket, go to chrome/flags manually and set 2 or 3 settings on each affected machine, not workable and not practical at all, and it did not work on a test machine.
The issue is chrome wanting to run cmd.exe and being blocked.
| cmd.exe |
C:\WINDOWS\system32\cmd.exe |
F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D |
34 |
Containment Policy |
chrome.exe |
Blocked |
Complete |
Trusted |
Trusted |
2021/05/17 04:50:25 PM |
A sample on one system shows it being blocked - pop up generated a heap of times, in excess of 100 times per hour.
My next step is to disable containment altogether, but what’s the point in having a half working protection in place.
Anyone have an idea of how to stop the pop-ups for my clients first, then how to either allow or fix the issues. ???
I’m close to ditching the system and moving back to other vendors as this is causing far too many calls and requests from end-users.
regards
mcfproservices
Hi @mcfproservices,
Sorry for the trouble caused. We have created a support ticket to analyze and found from the CCS containment log that chrome.exe tries to start the plugin by starting cmd.exe and this action was blocked by CCS Containment predefined rule for the “Pseudo File Downloaders” filegroup:
There is only one way to exclude such CCS block actions is to create Ignored Containment rule in order to allow Chrome.exe to start cmd.exe.
Create Ignore rule with the following criteria
Types: Files
Target: C:\Windows\system32\cmd.exe
Under Files Started by Processes:
Types: Files
Reputation: Trusted
Path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Select checkbox "Limit number of parent processes number in the process chain to: 1
Under File Rating: Trusted
Please make sure the rule is moved Up to the top.
Note: Option “Do NOT apply the selected action to child processes” should be checked necessarily. It will allow Chrome.exe to start cmd.exe, but processes created further by cmd.exe will be treated by CCS according to rules and not be just ignored.
Please reach us if you still have any queries.
Kind Regards,
PremJK
@PremJkumar
Thank you, that is exactly all I needed, how to deal with a (false/safe) issue, screenshots and clear instructions.
I did get a response from the help desk, not sure what to make of it, however?
I assume the rule above allows the process without any further issues, the help desk suppresses the actual alert but it still gets blocked or contained in the background, must slow down the system when doing this all the time?
HELPDESK
Hello,
Please open Endpoint Manager -> Configuration Templates -> Profiles -> Click on the profile name which is assigned to the device generating this alert -> Containment -> Settings -> Enable the option ‘Do not show privilege elevations alerts’ and click ‘Save’ button.
Please verify the status after 30 minutes and update us the result.
Regards,
(removed)
ITarian Support
Thankyou both for the response, rules seem the correct way to go moving forward.
mcfproservices
