Shappelle
Enthusiast
Enthusiast

SEP 14's GEM blocking Google Chrome from running as App Stack Win7 App Vol 2.12.1

Greetings:

Is anyone using Sep 14?   It seems that the Generic Exploit Mitigation feature blocks Google Chrome from running as an appstack.

Win10 works absolutely fine. Also, App Volumes 2.11 works fine as well.  I can provision the appstack in AppVol 2.11 with SEP 14 and Win 7, no problem. I deploy it and it opens.
It is only the combination of Sep 14 (with GEM), Win7, and App Vol 2.12.1.

I imagine there may be other applications that run into this issue, but so far I have only been able to discover it with Chrome.

6 Replies
jahegyi
Enthusiast
Enthusiast

We are running SEP 14 reduced client in VDI but have not enabled GEM. We were using Microsoft EMET for a short period of time last year and it was a disaster with the amount of company-wide issues it caused. We had engineers that were spending their entire day chasing down and fixing issues for weeks before we pulled it with little to no help from Microsoft.

Because of that, we have not begun performing any testing with GEM. Symantec gave us the same dog and pony show as Microsoft did about how awesome the software was and how it would cause no issues it seemed almost word for word.

That said, I'm not surprised because we have had our fair share of issues specific to AppVolumes and UEM because of SEP and DLP. Symantec, at least on our end, has been quick to point the blame at anything but their own software. If you disable GEM does everything work as intended?

0 Kudos
Shappelle
Enthusiast
Enthusiast

With GEM disabled, it works fine. It is only the combination of AppVol 2.12.1, SEP 14. and Win 7.   Windows 10 works fine even with GEM on, and Windows 7 works fine with SEP 14 and AppVol 2.11.

0 Kudos
rogal7
Enthusiast
Enthusiast

I had the same issue and the only one workraound was to use port 80 (HTTP) instead of port 443 (SSL) on both AppVolumes Manager and AppVolumes Agent.

0 Kudos
rogal7
Enthusiast
Enthusiast

Try also one thing:

1) go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\svdriver\Parameters]

2) There is Multi-String value there called "HookInjectionWhitelist"

3) Remove *chrome.exe||* from list

Erossman
Enthusiast
Enthusiast

I saw last week the same issue with appvolumes 2.13, win7 x64 and SEP 14.

I already tried to capture chrome without installed SEP 14 on my provision vm, but this will not fix the issue.

The only thing which helps to solve the issue is to remove chrome.exe from the "HookInjectionWhitelist" in the registry.

But I don't know how I can permanentley remove this chrome.exe from all my linked-clone VM?

I removed it during the appvolumes capturing process but it will appear on my assigned linked-clone vm's!?

Please help.

0 Kudos
wakeman811
Enthusiast
Enthusiast

Hello,

Update the parent image the linked-clones are using and recompose the pool.

Additionally, a gpo may work to adjust this setting as well, however a reboot may be needed for it to take effect.

0 Kudos