7 Replies Latest reply on Jul 14, 2017 1:25 PM by brossi

    Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe

    konecnym

      Hello all,

       

      We updated some PC  from Windows 10  b1607->b1703 in my LAB enviroment.

      All PC have error messages "Program COM Surrogate not responding". (Error show every click on Start/Metro menu, -> call DllHost.exe (in System32))

      We have ePO 5.3.2 MA 5.0.5.658  and VSE 8.8 P9 and HIPS 8.0 P9 (all these version are with support Win 1703)

      McAfee products were installed before and too in update process to new Win 10 b1703.

      When we tried ENS 10.5.1 (so with support Win 10 b1703) there is the same errror message. 


      After uninstall VS and HIPS  this error disapear.

       

      Do you have any the same problem ?

      Did you find some solution ?  
      I´ll escalate to Platinum

       

      Michal

       

      In Sum:

      After update to Win 10 b1703 error message "Program COM Surrogate not responding"

      After Uninstall VSE 8.8 P9 and HIPS 8.0. P9 this problem disappeared. (the same with ENS 10.5.1)

        • 1. Re: Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe
          frank_enser

          Hi,

           

          we're seeing the same compatibility problem with ENS and Creators Update at our customers. We traced the issue back to the "protection" of the dllhost.exe with the exploit prevention modul.

          So we temporary disabled the rule, and the error was gone: Policy Catalog -> Endpoint Security Threat Prevention -> Exploit Prevention -> [Policy] -> Application Protection Rules -> Microsoft DLL Hosting Services (disable this rule).

           

          But be advised, this lowers the security, and please open a SR with McAfee, so they can track and prioritize the issue accordingly

           

          Regards,

          Frank

          • 2. Re: Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe
            konecnym

            So ... here you are some update ...

             

            1) The Error it shows only when is HIPS 8.0 P9 installed.
                 (inc. HIPS Content 8.0.0.7691)
                 But only after restart, when is all HIPS components loaded.
                 Disable IPS rules 428 and 3761 does not solve it.
                 If I disable IPS Host in HIPS this error disapear.
                 So problem is in IPS in HIPS 8.0 P9 !

             

            2) ENS 10.5.1 have the same problem (some FW component)
                ... so here you are McAfee Corporate KB - dllhost.exe crashes after deploying a Sysprep image or performing a Cortana search on a Windows 10…

             

            We are looking still further ......

            • 3. Re: Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe
              youngs

              Hi,

              We had this same issues, after a call to support were directed to the above KB.   We added the exclusion based on the KB and everything is working fine.   If you trying to use the signer for the dllhost.exe exclusion I was only able to get this to work on HIPS.  As for ENS 10.5.1 there seems to be issues with putting the signer as part of the exclusion, I still plan to call support back on this not working in ENS 10.5.1.

               

              Scott

              • 4. Re: Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe
                konecnym


                OK Exclusion is only temporary solution.  But not secure solution.
                We expect new HIPS content (but i hope for exact exeption (CRC or Thumb) any settings for path **\hostdll.exe.

                 

                SA_n.jpg
                Exclude.jpg

                1 of 1 people found this helpful
                • 5. Re: Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe
                  youngs

                  Try setting this as an Exception Rule for IPS policy,  doing it based on Application Protection Rules then yes I agree this isn't a secure solution.  Based on the KB you can create Exception Rule for only Signatures 428 and 3761 and exclude the dllhost.exe.

                   

                  When I was talking to support they said that Microsoft no considers dllhost.exe a protected windows files, this is why HIPS / ENS can't inject there protection of dllhost.exe.  I was told that McAfee hopes to have this fixed in HIPS patch 10 and ENS 10.5.2 or 10.6, of course no time lines for these releases yet.

                   

                  Steps below is how I created the exclusion for our environment:

                  1. Created new policy based off our default IPS Rules.

                  2. Create an exclusion based on the KB89023 (See attachment below)

                  3. Created new tag to identify our Windows 10 Creator (1703), Criteria we used OS Build Number = 15063.

                  4. Created a Policy Assignment Rules to apply the new IPS Rule to the identified Windows 10 Creator devices.

                   

                  For ENS 10.5.1 we did similar:

                  1. Created new Exploit Prevention policy

                  2. Create an exclusion based on the KB89023 (See attachment below)

                  3. Added policy to the above Policy Assignment Rule that we created for HIPS. (Did it this way for both as we are in testing phase for ENS 10.5.1)

                   

                  Note:  Right now I can't seem to get signer working for the executable.  Going to call support next week on this one.

                  1 of 1 people found this helpful
                  • 6. Re: Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe
                    brossi

                    Hi all,

                    Looking through all sorts of possible fixes and how this is a McAfee issue and I figured out a fix without changing McAfee at all.  The dllhost.exe is associated to Thumbnails and seems to have issues displaying them.  Here is how I stopped receiving this error after upgrading to 1703.

                     

                    Open Windows Explorer > View > Options > Change folder and search options > View Tab > Place a check in the box "Always show icons, never thumbnails."

                     

                    I did a reboot and I have not received that com surrogate error since.

                     

                    I hope this helps!

                    • 7. Re: Windows 10 Creators b1703 and COM Surrogate Error DllHost.exe
                      brossi

                      We found that this fix works until you click on the Start button which throws the COM Surrogate error.  Still looking!