SCOM - MonitoringHost.exe sometime create random file and name C:\Windows\Temp\tsv5n12q\tsv5n12q.0.cs

Question

SCOM Agent on server sometime create file in C:\Windows\Temp\ with random name catalog and random file tsv5n12q.0.cs

example from Event Log (SRMSVC: 8215):

 User NT AUTHORITY\SYSTEM attempted to save C:\Windows\Temp\tsv5n12q\tsv5n12q.0.cs to C:\ on the "ServerName" server. This file is in the "CryptoBlockerGroup2" file group, which is not permitted on the server. 
   C:\ 
   "CryptoBlockerGroup2" 
   C:\Windows\Temp\tsv5n12q\tsv5n12q.0.cs 
   11172 
   C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe 
   NT AUTHORITY\SYSTEM 

Answer 1

Hi,

Based on this information, there are a few things you can consider:

1. Investigate the Source: Check the origin of the attempted file creation. This is typically done by the Microsoft Monitoring Agent (MonitoringHost.exe) as part of the SCOM monitoring process. You may want to review SCOM configurations, rules, and monitoring settings to understand why this specific file is being created and attempted to be saved on the system.
2. Review SCOM Monitoring Rules: Within SCOM, review the monitoring rules and configurations that are relevant to the "CryptoBlockerGroup2" file group. Check if there are any specific configurations or overrides that might explain the attempted file creation and whether it is intentional or not.
3. Security Policies: Look into the security policies and access control settings on the "C:" drive, especially for the "CryptoBlockerGroup2" file group. Ensure that the policy aligns with the organization's security requirements and that there are no unexpected misconfigurations.