-
Titre
Change Auditor does not capture AD events, or the agent fails to start, after applying the Windows Security Baseline or enabling the Attack Surface Reduction Rule -
Description
After applying a Windows Security Baseline to the Domain Controllers, or after enabling the Attack Surface Reduction Rule, "Block credential stealing from the Windows local security authority subsystem", GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, Change Auditor no longer audits AD events and in agents 7.0.4 and later, the agent will fail to start. This will also impact agents installed on member servers resulting in the agent failing to start.
An error similar to the following is logged in the ChangeAuditor.AgentLog.nptlog:
[WARN][CServerControlHandler::TriggerHooking(154)] LDAP control hooking failed: 0x00000022
Or
[WARN][TrogdorLib::Common::CTrogdorService::StartImpl(187)] Error initializing sub-system SonicWALL Auditor (71).
[ERROR][CMonitorService::OnStartFailed(521)] Failed to initialize some threads and sub-systems.An error similar to the following may be logged in the CAADMain.dll.nptlog:[ERROR][itad2hook::DuplexHolderImpl::InitializeIPC(230)] Error starting pipe client. Unable to open pipe
An error similar to the following is logged in the CAADService.dll.nptlog[ERROR]start service failed due to exception:GetProcessIdByName(L"lsass.exe")
Connexion requise
Vous devez être connecté et disposer d'un contrat de maintenance en cours pour afficher les articles de la base de connaissances avancés.