-
Title
Dirsync Password Sync isn’t working when Windows Defender is installed, error: "VirtualAllocEx failed: 5" -
Description
Clients with Windows Defender installed on their Windows Servers running Quest Active Directory Password Sync (Copy) that utilizes LSASS may stop operating without warning.
The following error may be found in the Directory Sync Pro profile logs:
VirtualAllocEx failed: 5
The following error may appear in the Domain Controller Windows Event Log under “Applications and Service Logs\Microsoft\Windows\Windows Defender” path in the event viewer:Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.For more information please contact your IT administrator.ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2Detection time: 2022-03-08T16:57:03.732ZUser: NT AUTHORITY\SYSTEMPath: C:\Windows\System32\lsass.exeProcess Name: C:\Windows\BTPass\x64\BTPassSvc.exeTarget Commandline:Parent Commandline: C:\Windows\BTPass\x64\BTPassSvc.exeInvolved File:Inheritance Flags: 0x00000000Security intelligence Version: 1.359.1530.0Engine Version: 1.1.18900.3Product Version: 4.18.2201.10 -
Cause
Microsoft is enabling a Microsoft Defender 'Attack Surface Reduction' security rule by default to block hackers' attempts to steal Windows credentials from the LSASS process.
-
Resolution
Exclusions must be performed on the DC and Dirsync Agent server
Customer must exclude files and folders from being evaluated by most attack surface reduction rules. This means even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running.
You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Defender for Endpoint file and certificate indicators. (See Manage indicators.)
For more information, please see Microsoft’s documentation, Enable attack surface reduction rules | Microsoft Docs.