This behavior is expected and considered normal. If you trust the third-party remote access software code that's injected into the
Winlogon process, a CASP rule can be created. The purpose of the CASP rule is to prevent the
Winlogon process from undergoing analysis. Follow the steps provided below.
- Start the ePO console.
- Go to Policy Catalog, Application Control Rules (Windows), <policy name>, Exclusions, Memory Protection.
- Add winlogon.exe as an exclusion from CASP in the Application Control Rules Policy.
On the client:
- Start the command-line interface (CLI) for Solidcore.
- From the CLI prompt, run the sadmin attr add -c winlogon.exe command.
NOTE: When the configuration change is made, a system reboot is required. The reboot guarantees that functionality has been restored for the system and any third-party remote access software installed. The
winlogon.exe loads during the boot cycle. Because the configuration change is made after
winlogon.exe has loaded, the change doesn't take effect.
If this solution or workaround does not resolve your issue, log on to the ServicePortal and
create a Service Request. Include this article number in the Problem Description field.
