Endpoint Security Assessment - Troubleshooting


Hi there! 
I’m doing a POC with a customer that has Crowdstrike Falcon as solution. 
We are testing EDR assessment. 

Before we start, I sent him some URLs as pre-req: 

C:\Program Files\Cymulate\Agent\**
C:\Program Files\Cymulate\Agent\Executor\220.0 

We’re facing some issues because the assessment is not working properly.
Below the attack trace.

[2024-05-31 15:53:56] - Scenario::StartScenarioExecutor() Exception - ProgProcess.Start(C:\Program Files\Cymulate\Agent\Executor\220.0\CymulateEDRScenarioExecutor.exe) - System.ComponentModel.Win32Exception (5): An error occurred trying to start process 'C:\Program Files\Cymulate\Agent\Executor\220.0\CymulateEDRScenarioExecutor.exe' with working directory 'C:\Program Files\Cymulate\Agent\Executor\220.0'. Acesso negado.
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at CymulateEDR.Scenario.StartScenarioExecutor()

And I already sent to my customer the KB about Crowdstrike. 
I really don’t know what’s going, and of course PROBABLY my customer did not apply all steps that this KB requests ( CrowdStrike Falcon - Setting up Exclusions (

I mean, are there anything else that I should whitelist?  

Thank you!! 

3 replies

Userlevel 2

That looks like a whitelisting problem. Cymulate cannot launch the scenario executor process as its most likely being blocked by Crowd Strike. 


Hi @eduardo_elias 

Please follow this guide for CrowdStrike [Flacon] exclusions:

Hola Eduardo,


Eso es por problema de excepciones, sigue la guía que te envió Or Hamra, y pide que te envíen la evidencia, porque son bastante reacios a hacer las exclusiones en Crowdstrike, lo otro, debes cambiar la carpeta donde se ejecutan los payloads, porque de igual forma bloquea el acceso Crowdstrike en algunos casos =).