Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Repux.exe or Scanhost.exe unable to start after Windows Update

Carbon Black Cloud: Repux.exe or Scanhost.exe unable to start after Windows Update

Environment

  • Carbon Black Cloud Sensor: version 3.6.0.1941 , 3.6.0.1979
    • Endpoint Standard (formerly CB Defense)
    • Enterprise EDR (formerly CB ThreatHunter) 
    • Audit & Remediation (formerly CB LiveOps)
  • Windows 10 KB4598229 Security update or KB4592449 cumulative update, but it can also happen with other Windows updates 

Symptoms

  • Windows error: 'Repux.exe - Application Error: The application was unable to start correctly (0xc0000022) click ok to close the application' (repux.exe is responsible for displaying the Local Sensor UI when enabled)
  • In some cases when the above error is observed, scanhost.exe, which is responsible for the Local Scanner function, may also fail to start. If scanhost.exe fails to start, an error message will not be observed.

    Cause

    • In Sensor version 3.6.0.1941 or 3.6.0.1979, the Carbon Black Cloud tamper policy requires all Microsoft DLL(s) to be signed.
    • Per December 8, 2020—KB4592449 (OS Builds 18362.1256 and 18363.1256) from Microsoft "System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10"
    • If the sensor does not get correct signature information the tamper protection policy will block them from loading into CB processes such as repux.exe and scanhost.exe.

    Resolution

    • Upgrade to sensor version 3.6.0.2076 or higher
    • If an upgrade is not possible, the following workarounds are available:
      • Disable "Display sensor message in system tray" in the Carbon Black Cloud Policy > Sensor tab. (This will only prevent repux.exe application errors from occurring. This will not resolve the issue with scanhost.exe failing to start)
      • Uninstall/reinstall sensor - this will likely only eliminate issue temporarily until next reboot or Windows update
      • Implement the Workaround suggested by Microsoft in December 8, 2020—KB4592449 (OS Builds 18362.1256 and 18363.1256): "If you have already encountered this issue on your device, you can mitigate it within the uninstall window by going back to your previous version of Windows using the instructions here." (Hold off on reinstalling the Windows update until updated version of Carbon Black Cloud Sensor is available)
      • Downgrade to sensor 3.6.0.1719 or earlier (uninstall of current sensor version is required)

    Additional Notes

    • This KB describes only one possible reason for repux.exe and scanhost.exe startup failures. Test out one of the available workarounds to verify that the specific issue described in this KB is the same issue occurring in your environment. If the issue persists, it is likely that repux.exe or scanhost.exe startup failures may be occurring due to a separate reason.
    • When tamper protection detects third party DLLs (ex. other av software) attempting to load into CB processes, this issue may also be observed. To avoid these types of issues, VMware Carbon Black always recommends that you exclude the following locations if using another Security or Anti-Virus Utility. See Carbon Black Cloud: Recommended Third-Party Anti-virus Exclusions

    Related Content


    Was this article helpful? Yes No
    61% helpful (3/5)
    Article Information
    Author:
    Creation Date:
    ‎01-20-2021
    Views:
    34152
    Contributors