Upon Change Auditor Agent Service Start-Up, the service injects itself into critical processes like "LSASS.exe" to capture events while they are taking place.
Similar behavior has been detected in relation to certain Anti-Malware software that alerts when 3rd-Party software loads PE-Files (Dlls) into memory.
Some customers were able to resolve this alert by setting the Change Auditor Agent Service-Config from automatic to automatic (delayed).
It should be possible to white-list the Change-Auditor Support Files, but please contact Microsoft Support for instruction.
List of files to be excluded:
C:\Program Files\Common Files\Quest\Detoured.dll
C:\Program Files\Common Files\Quest\NPDTWrap.dll
C:\Program Files\Quest\ChangeAuditor\Agent\NPSrvHost.exe
C:\Program Files\Quest\ChangeAuditor\Agent\DNSS\CADnsSup.dll
C:\Program Files\Quest\ChangeAuditor\Agent\CASupport.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Active Directory\CAADEventMsg.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Active Directory\CAADFlt.sys
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Active Directory\CAADHook.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Active Directory\CAADMain.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Active Directory\CAADPerfCount.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Active Directory\CAADService.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Active Directory\FSLogonMonitor.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Windows File Servers\FSEventMsg.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Windows File Servers\FSLogonMonitor.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Windows File Servers\FSPerfCount.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Windows File Servers\FSServiceMonitor.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Windows File Servers\FSService.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for Windows File Servers\Driver\FSDriver.sys
C:\Program Files\Quest\ChangeAuditor\Agent\SCM\ServicesHook.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for ADAM\CAADEventMsg.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for ADAM\CAADADAMHook.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for ADAM\CAADAMMain.exe
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for ADAM\CAADADAMPerfCount.dll
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for ADAM\CAADAMService.exe
C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for ADAM\dbghelp.dll
C:\Program Files\Quest\ChangeAuditor\Agent\dbghelp.dll
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center