The issue seems to be fixed with the 13.02 release.
Sysmon 12.03 - FileDelete rules on Win2008 R2 cause Sysmon to crash
Hi,
We identified that when enabling FileDelete rules on Win2008 R2, Sysmon.exe encounter an error and made the system almost unresponsive. In some extreme case, Sysmon cannot be uninstalled without restarting in safe mode.
The following configuration has been tested on an up to date 2008R2 with Sysmon 12.03:
<Sysmon schemaversion="4.40">
<EventFiltering>
<!-- Event ID 22 == FileDelete. -->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include">
<TargetFilename condition="is">C:\Windows\temp\DELETEME.txt</TargetFilename>
</FileDelete>
</RuleGroup>
</EventFiltering>
</Sysmon>
When launching an app, iexplore.exe for example, an Application Error log is created for Sysmon:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-11-30T10:35:11.000000000Z" />
<EventRecordID>889</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN-0I5EAUBRCFP</Computer>
<Security />
</System> - <EventData>
<Data>Sysmon64_12.03.exe</Data>
<Data>12.0.3.0</Data>
<Data>5fbbe1ab</Data>
<Data>KERNELBASE.dll</Data>
<Data>6.1.7601.24545</Data>
<Data>5e0eb6bd</Data>
<Data>c0000005</Data>
<Data>000000000000c4d2</Data>
<Data>6bc</Data>
<Data>01d6c70475c65a43</Data>
<Data>C:\Windows\Sysmon64_12.03.exe</Data>
<Data>C:\Windows\system32\KERNELBASE.dll</Data>
<Data>b8c26047-32f7-11eb-ac4b-08002796838c</Data>
</EventData>
</Event>
Our workaround is to completely remove rules related to FileDelete event at the moment, but this is an unsatisfactory solution.
Many thanks in advance for your help.