The above detection rule is wrong. You should be checking IF FILE EXIST C:\WINDOWS\SYSMON.EXE. Not sysmon64.exe.
We internally check on both sysmon.exe and the sysmondrv file (I forget the name)--and we also check on the version #.
Installing Sysmon application using SCCM
Dear Members,
I need you help on installing Sysmon application using SCCM. It is getting failed on installation. The logs shows that the issue is happening because of the detection method i used.
I used this detection method - File exists - C:\Windows\sysmon64.exe
Please some one help me on this.
5 answers
Sort by: Most helpful
Stephen Wyatt 11 Reputation points
2020-12-05T18:34:43.88+00:00 -
UserSan 11 Reputation points
2020-11-20T08:30:36.107+00:00 Dear TuanTrieuu-1005,
Thaks for the reply. While checking SCCM appdiscovery.log, iam getting the blow log.<![LOG[Entering ExecQueryAsync for query "select * from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b" AND Revision = 6)"]LOG]!><time="16:26:59.552-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:411">
<![LOG[ Performing detection of app deployment type Sysinternals Sysmon(ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, revision 6) for system.]LOG]!><time="16:26:59.554-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:2128">
<![LOG[+++ Application not discovered. [AppDT Id: ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, Revision: 6]]LOG]!><time="16:26:59.566-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="localapphandler.cpp:291">
<![LOG[+++ Did not detect app deployment type Sysinternals Sysmon(ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, revision 6) for system.]LOG]!><time="16:26:59.566-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:545">
<![LOG[ ActionType - Install will use Content Id: Content_7cd603ff-a887-4b63-87b2-066c41f4299f + Content Version: 1 for AppDT "Sysinternals Sysmon" [ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b], Revision - 6]LOG]!><time="16:26:59.807-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:1548">Please help.
Tuan Trieu 1 Reputation point
2020-11-20T06:21:57.767+00:00 @SanuMundathil-6605 Could you please upload the logs or screenshot of error message? Also you can follow this guide to debug in client side!
Tuan Trieu 1 Reputation point
2020-11-23T22:18:34.023+00:00 @SanuMundathil-6605 could you please attach all CCM Logs:
AppIntentEval.log -
Leonid Zubchevsky 0 Reputation points
2024-01-19T05:48:59.96+00:00 Добрый день, для вашего удобства
установка программы: Sysmon64.exe -i -accepteula
обнаружение программы:
- registry: HKLM\SYSTEM\CurrentControlSet\Services\Sysmon64 Value: ImagePath
- c:\windows\Sysmon64.exe
удаление программы: Sysmon64.exe -u
тоже самое в картинках:
установка удаление
обнаружение программы: