Return
-
Title
Change Auditor Agent stopping after starting or running but not recording events -
Description
The Change Auditor Agent is running but is not recording events such as Active Directory or Windows File System events.
The following errors are recorded in the ChangeAuditor Agent log files:2015-04-01 12:32:21.297 [1304][ERROR][CFileSystemSink::UpdateConfiguration(221)] Plug-in filter config result: 12015-04-01 12:32:21.328 [1304][ERROR][CFileSystemSink::UpdateConfiguration(246)] Plug-in protection config result: 12015-04-01 12:32:30.018 [1304][WARN][CServerControlHandler::TriggerHooking(146)] LDAP control hooking failed: 0x00000022In addition, the ChangeAuditor agent service may fail start. The following may be recorded in the ChangeAuditor agent logs:
2015-04-07 14:51:48.484 [6592][ERROR][CLsaHook::Inject(276)] Support Dll initialization error (NetProLib::Injection::ScopedVirtualAllocEx::Allocate - Access is denied.) on C:\Program Files\Dell\ChangeAuditor\Agent\CASupport.dll2015-04-07 14:51:48.484 [2908][ERROR][CSamEventSink::WorkerMain(953)] ChangeAuditor utility dll failed to install2015-04-07 14:51:48.593 [6100][WARN][TrogdorLib::Common::CTrogdorService::StartImpl(182)] Error initializing sub-system {SAM Event Sink (27)}.2015-04-07 14:51:48.593 [6100][ERROR][CMonitorService::OnStartFailed(506)] Failed to initialize some threads and sub-systems. -
Cause
Antivirus software, such as ESET Endpoint Antivirus, is preventing the ChangeAuditor agent from loading required modules. -
Resolution
Uninstall the Antivirus from a test server to verify if the Antivirus is the cause of the issue and then implement the Antivirus exceptions in the following article:
ESET File Security has a Self-Defense Protocol that will stop any service that attempts to scan it. When the Change Auditor tries to start, ESET notices this and immediately terminates the Service.
In ESET File Security's Advanced Setup, disable HIPS and reboot the DC as a workaround to allow Change Auditor agent to load all required components.If the issue persists, engage the Antivirus support for the proper Antivirus exceptions.The following instructions are meant as a general guide and intended as an aid to resolution. Steps may differ based on the version of ESET.Use the ESET RSAT or the agent on a particular computer:Select Admin--> PoliciesSelect New PolicyBasic-->NamePolicy Allow QuestChangeAuditor Policyselect SettingsClick on ESET File Security for Windows Server (v6+)Select AntiVirus--> HIPSUnder Rules, select EditClick on Add to create a new ruleNameRule QuestChangeAuditorAction AllowSelect Allow Files, Applications, Registry EntriesKeepRule EnabledSet Logging to noneSet Notify user to blankClick on Add for Source ApplicationPaste in the file path from the Windows service Quest Change Auditor Agentwith this path: C:\ProgramFiles\Quest\ChangeAuditor\Agent\NPSrvHost.exeClick OK and NextSelect All File Operationsselect Next and NextSelect All Application Operationsselect Next and NextSelect All Registry Operationsselect NextFINThen apply this policy to groups/servers of your clients On their next check-in it will be applied.