question

M3lon avatar image
1 Vote"
M3lon asked rednekSMACKINFOOLZ-7364 commented

Sysmon 12.03 - FileDelete rules on Win2008 R2 cause Sysmon to crash

Hi,

We identified that when enabling FileDelete rules on Win2008 R2, Sysmon.exe encounter an error and made the system almost unresponsive. In some extreme case, Sysmon cannot be uninstalled without restarting in safe mode.

The following configuration has been tested on an up to date 2008R2 with Sysmon 12.03:
<Sysmon schemaversion="4.40">
<EventFiltering>
<!-- Event ID 22 == FileDelete. -->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include">
<TargetFilename condition="is">C:\Windows\temp\DELETEME.txt</TargetFilename>
</FileDelete>
</RuleGroup>
</EventFiltering>
</Sysmon>

When launching an app, iexplore.exe for example, an Application Error log is created for Sysmon:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-11-30T10:35:11.000000000Z" />
<EventRecordID>889</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN-0I5EAUBRCFP</Computer>
<Security />
</System>
- <EventData>
<Data>Sysmon64_12.03.exe</Data>
<Data>12.0.3.0</Data>
<Data>5fbbe1ab</Data>
<Data>KERNELBASE.dll</Data>
<Data>6.1.7601.24545</Data>
<Data>5e0eb6bd</Data>
<Data>c0000005</Data>
<Data>000000000000c4d2</Data>
<Data>6bc</Data>
<Data>01d6c70475c65a43</Data>
<Data>C:\Windows\Sysmon64_12.03.exe</Data>
<Data>C:\Windows\system32\KERNELBASE.dll</Data>
<Data>b8c26047-32f7-11eb-ac4b-08002796838c</Data>
</EventData>
</Event>

Our workaround is to completely remove rules related to FileDelete event at the moment, but this is an unsatisfactory solution.
Many thanks in advance for your help.

windows-sysinternals-sysmon
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @M3lon

Despite knowledge that Windows Server 2008 R2 went end of life on 1/14/2020, out of curiosity, I went ahead and provisioned a VM to see if I could reproduce the problem.

With a fully patched server and sysmon v12.3 running default configurations, everything seems fine. However, after importing a sysmon configuration having only FileDelete enabled (exclude nothing), sysmon crashes on configuration list (sysmon -c) and the platform destabilizes with sysmon commands thereafter, even across reboots.

Given that this happens on a virtual machine, I imagine it impacts all windows server 2008 R2 instances equally. In fact, the problem exists on Windows 7 too.

Thanks for bringing this issue to the attention of others so that we know to avoid deploying a config having the FileDelete eventtype enabled to any remaining end of life hosts.

0 Votes 0 ·

1 Answer

M3lon avatar image
0 Votes"
M3lon answered rednekSMACKINFOOLZ-7364 commented

The issue seems to be fixed with the 13.02 release.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PS4 and Xbox one both are different yes but y is their Bluetooth different from regular Bluetooth idk but if only PS4 and Xbox just worked together along with Nintendo and other devices all in one it would eliminate the possibility 6thr systems software ;ess likely to get corrupted if powered died or goes out idk but there's just no simple way of getting by this idk also nsa yuba city CA 95901 I'm New here but can be good for anyone who wants to throw themselves right into submission 5303158790ponee

0 Votes 0 ·