Unable to launch application with Cylance Memory Protection Enabled

Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. Please see the below steps in order to put Cylance in compatibility mode.

Solution 1

Problem: When using Memory Protection, there are some compatibility issues with other products.

Issue: The original design for Memory Protection is to inject at the earliest possible point during process startup. However, other products that also monitor memory processes handle injections differently and may not be prepared for injection as early in the process as Memory Protection. This causes the other application to crash. To resolve this issue, you can add a registry key to the Cylance Desktop registry folder to allow Memory Protection to inject in the same manner as other applications. Compatibility Mode has been tested with the following products:

  • AppSense
  • BeyondTrust
  • PowerBroker
  • Citrix Cygwin Easy
  • Detect Safe Browsing
  • Lumension

Solution: Compatibility Mode works when Memory Protection is enabled or when Memory Protection and Script Control are enabled. It does not work when only Script Control is enabled. While Memory Protection and Script Control use the same core functions, the way each feature protects a device is different.

Add the following registry key to enable Compatibility Mode:

Using the Registry Editor, go to HKEY_LOCAL_MACHINESOFTWARECylanceDesktop. Right-click Desktop, click Permissions, then take ownership and grant yourself Full Control. Right-click Desktop, then select New > Binary Value.

For the name, type CompatibilityMode. Open the registry setting and change the value to 01. Click OK, then close Registry Editor. A restart of the system is not required.

Instead, you can: Disable Memory Protection in the Policy, then save the Policy. Also disable Script Control, if it is enabled. Add Compatibility Mode to the registry. Enable Memory Protection and save the Policy. Also enable Script Control, if necessary. When the policy is applied to the Agent, this triggers the driver to apply the registry change.

Command Line Options Single Machine – Using PsExec psexec -s reg add HKEY_LOCAL_MACHINESOFTWARECylanceDesktop /v CompatibilityMode /t REG_BINARY /d 01 Multiple Machines – Using PsExec psexec -s @C:temphosts.txt reg add HKEY_LOCAL_MACHINESOFTWARECylanceDesktop /v CompatibilityMode /t REG_BINARY /d 01 Where: “C:temphosts.txt” contains a list of all the hosts. Multiple Machines – Using PowerShell $servers = “testComp1″,”testComp2″,”textComp3″ $credential = Get-Credential -Credential {UserName}administrator Invoke-Command -ComputerName $servers -Credential $credential -ScriptBlock {New-Item -Path HKLM:SoftwareCylanceDesktop -Name CompatibilityMode -Type REG_BINARY -Value 01} -OR- Invoke-Command -ComputerName $servers -Credential $credential -ScriptBlock {New-ItemProperty -Path HKLM:SoftwareCylanceDesktop -Name CompatibilityMode -PropertyType BINARY -Value 01}

Note: The Compatibility Mode key must be added to the registry before you enable Memory Protection, or Memory Protection and Script Control, in the Policy.

Solution 2

For users who are not able to use Cylance Compatibility mode and cannot remove /edit the Parent hook (mfaphook.dll, radeaphook.dll, and ctxsbxhook.dll), The alternate solution is to implement Citrix API hook exclusions per application bases.

We can add Cylancesvc.exe in their exclusion list. For Windows 32-bit Version Key:

HKEY_LOCAL_MACHINESOFTWARECitrixCtxHook Value Name: ExcludedImageNames Type: REG_SZ Value: Cylancesvc.exe,AppName2.exe,AppName3.exe

For Windows 64-bit version Keys:

HKEY_LOCAL_MACHINESOFTWARECitrixCtxHook HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixCtxHook HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixCtxHook64 Value Name: ExcludedImageNames Type: REG_SZ Value: Cylancesvc.exe,AppName2.exe,AppName3.exe

Note: The CtxHook64 key does not exist on Windows 2008 R2 and it is not required. For additional information please refer to CTX107825 – How to Disable Citrix API Hooks on a Per-application Basis

Related:

how to trigger appscan using gradle s

How to trigger app scan using the gradle script.

I have a project which is getting built using gradle script where it has dependency mentioned between multiple packages. Basically when i run my project using cygwin tool it is building successfully. But when i do it using app scan it is giving lots of compilation error though i have given dependency of all jar files at one place.

So cygwin is using gradle script to compile the source code. But app scan looks like it is just going package by package but no dependency is maintained.

Related:

APIConnect toolkit arrow selection issue with cygwin

Hi Devs,

I installed APIC developer toolkit on my cygwin in windows 7 machine . The problem is when I am unable to select various options using up and downarrow in APIC toolkit cmdline . It seems to be issue with APIC toolkit on cygwin . The arrow keys works fine on cygwin cmdline. Did anyone have similar issue ?

Thanks,

Related:

API tollkit on cygwin cursor doesn’t work

Hi Devs,

I installed APIC developer toolkit on my cygwin in windows 7 machine . The problem is when I am unable to select various options using up and downarrow in APIC toolkit cmdline . It seems to be issue with APIC toolkit on cygwin . The arrow keys works fine on cygwin cmdline. Did anyone have similar issue ?

Thanks,

Related:

Event ID 2026 — Psxrun Availability

Event ID 2026 — Psxrun Availability

Updated: November 14, 2007

Applies To: Windows Server 2008

Subsystem for UNIX-based Applications (SUA) Psxrun Availability indicates the ability of the Psxrun utility to start and run SUA processes.

Problems that can occur with Psxrun Availability include API call failures, incorrect path names or command line parameters, and low virtual memory.

Event Details

Product: Windows Subsystem for UNIX-based Applications
ID: 2026
Source: Microsoft-Windows-SUA-Psxrun
Version: 6.0
Symbolic Name: NOT_ABS_PATH
Message: Program name %1 is not an absolute UNIX path name.

Resolve
Check path name

Verify the path name for the Subsystem for UNIX-based Applications application. Psxrun closed because it could not find the application by using the provided path name.

Verify

Because multiple instances of Psxrun can be running at once, it is best to verify Psxrun in Windows Task Manager not by checking on a particular instance of Psxrun, but by verifying that the specific POSIX process or application launched by using Psxrun is running.

To verify that Psxrun is running:

  1. Open Windows Task Manager by pressing CTRL+ALT+DEL, and then clicking Start Task Manager.
  2. On the Processes tab, select the Show processes from all users check box.
  3. Verify that a specific POSIX process you have started by using Subsystem for UNIX-based Applications is running.

If the POSIX application or process that has been launched by using Psxrun is indicated as running in Task Manager, then Psxrun is fully available. If the process is not running, critical errors are preventing Psxrun from being available.

Related Management Information

Psxrun Availability

Subsystem for UNIX-based Applications

Related: