Carbon Black Cloud: Repux.exe or Scanhost.exe unable to start after Windows Update
Carbon Black Cloud Sensor: version 18.104.22.1681 , 22.214.171.1249
Endpoint Standard (formerly CB Defense)
Enterprise EDR (formerly CB ThreatHunter)
Audit & Remediation (formerly CB LiveOps)
Windows 10 KB4598229 Security update or KB4592449 cumulative update, but it can also happen with other Windows updates
Windows error: 'Repux.exe - Application Error: The application was unable to start correctly (0xc0000022) click ok to close the application' (repux.exe is responsible for displaying the Local Sensor UI when enabled)
In some cases when the above error is observed, scanhost.exe, which is responsible for the Local Scanner function, may also fail to start. If scanhost.exe fails to start, an error message will not be observed.
In Sensor version 126.96.36.1991 or 188.8.131.529, the Carbon Black Cloud tamper policy requires all Microsoft DLL(s) to be signed.
If the sensor does not get correct signature information the tamper protection policy will block them from loading into CB processes such as repux.exe and scanhost.exe.
Upgrade to sensor version 184.108.40.2066 or higher
If an upgrade is not possible, the following workarounds are available:
Disable "Display sensor message in system tray" in the Carbon Black Cloud Policy > Sensor tab. (This will only prevent repux.exe application errors from occurring. This will not resolve the issue with scanhost.exe failing to start)
Uninstall/reinstall sensor - this will likely only eliminate issue temporarily until next reboot or Windows update
Implement the Workaround suggested by Microsoft in December 8, 2020—KB4592449 (OS Builds 18362.1256 and 18363.1256): "If you have already encountered this issue on your device, you can mitigate it within the uninstall window by going back to your previous version of Windows using the instructions here." (Hold off on reinstalling the Windows update until updated version of Carbon Black Cloud Sensor is available)
Downgrade to sensor 220.127.116.119 or earlier (uninstall of current sensor version is required)
This KB describes only one possible reason for repux.exe and scanhost.exe startup failures. Test out one of the available workarounds to verify that the specific issue described in this KB is the same issue occurring in your environment. If the issue persists, it is likely that repux.exe or scanhost.exe startup failures may be occurring due to a separate reason.
When tamper protection detects third party DLLs (ex. other av software) attempting to load into CB processes, this issue may also be observed. To avoid these types of issues, VMware Carbon Black always recommends that you exclude the following locations if using another Security or Anti-Virus Utility. See Carbon Black Cloud: Recommended Third-Party Anti-virus Exclusions