Unable to launch application with Cylance Memory Protection Enabled

Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. Please see the below steps in order to put Cylance in compatibility mode.

Solution 1

Problem: When using Memory Protection, there are some compatibility issues with other products.

Issue: The original design for Memory Protection is to inject at the earliest possible point during process startup. However, other products that also monitor memory processes handle injections differently and may not be prepared for injection as early in the process as Memory Protection. This causes the other application to crash. To resolve this issue, you can add a registry key to the Cylance Desktop registry folder to allow Memory Protection to inject in the same manner as other applications. Compatibility Mode has been tested with the following products:

  • AppSense
  • BeyondTrust
  • PowerBroker
  • Citrix Cygwin Easy
  • Detect Safe Browsing
  • Lumension

Solution: Compatibility Mode works when Memory Protection is enabled or when Memory Protection and Script Control are enabled. It does not work when only Script Control is enabled. While Memory Protection and Script Control use the same core functions, the way each feature protects a device is different.

Add the following registry key to enable Compatibility Mode:

Using the Registry Editor, go to HKEY_LOCAL_MACHINESOFTWARECylanceDesktop. Right-click Desktop, click Permissions, then take ownership and grant yourself Full Control. Right-click Desktop, then select New > Binary Value.

For the name, type CompatibilityMode. Open the registry setting and change the value to 01. Click OK, then close Registry Editor. A restart of the system is not required.

Instead, you can: Disable Memory Protection in the Policy, then save the Policy. Also disable Script Control, if it is enabled. Add Compatibility Mode to the registry. Enable Memory Protection and save the Policy. Also enable Script Control, if necessary. When the policy is applied to the Agent, this triggers the driver to apply the registry change.

Command Line Options Single Machine – Using PsExec psexec -s reg add HKEY_LOCAL_MACHINESOFTWARECylanceDesktop /v CompatibilityMode /t REG_BINARY /d 01 Multiple Machines – Using PsExec psexec -s @C:temphosts.txt reg add HKEY_LOCAL_MACHINESOFTWARECylanceDesktop /v CompatibilityMode /t REG_BINARY /d 01 Where: “C:temphosts.txt” contains a list of all the hosts. Multiple Machines – Using PowerShell $servers = “testComp1″,”testComp2″,”textComp3″ $credential = Get-Credential -Credential {UserName}administrator Invoke-Command -ComputerName $servers -Credential $credential -ScriptBlock {New-Item -Path HKLM:SoftwareCylanceDesktop -Name CompatibilityMode -Type REG_BINARY -Value 01} -OR- Invoke-Command -ComputerName $servers -Credential $credential -ScriptBlock {New-ItemProperty -Path HKLM:SoftwareCylanceDesktop -Name CompatibilityMode -PropertyType BINARY -Value 01}

Note: The Compatibility Mode key must be added to the registry before you enable Memory Protection, or Memory Protection and Script Control, in the Policy.

Solution 2

For users who are not able to use Cylance Compatibility mode and cannot remove /edit the Parent hook (mfaphook.dll, radeaphook.dll, and ctxsbxhook.dll), The alternate solution is to implement Citrix API hook exclusions per application bases.

We can add Cylancesvc.exe in their exclusion list. For Windows 32-bit Version Key:

HKEY_LOCAL_MACHINESOFTWARECitrixCtxHook Value Name: ExcludedImageNames Type: REG_SZ Value: Cylancesvc.exe,AppName2.exe,AppName3.exe

For Windows 64-bit version Keys:

HKEY_LOCAL_MACHINESOFTWARECitrixCtxHook HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixCtxHook HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixCtxHook64 Value Name: ExcludedImageNames Type: REG_SZ Value: Cylancesvc.exe,AppName2.exe,AppName3.exe

Note: The CtxHook64 key does not exist on Windows 2008 R2 and it is not required. For additional information please refer to CTX107825 – How to Disable Citrix API Hooks on a Per-application Basis


  • No Related Posts

Leave a Reply