Chat now with support
Chat with Support
Self Service Tools
Knowledge Base
My Account
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Support Essentials
Awards and Testimonials
Getting Started
License Agreement
Support Guide

Change Auditor Product Notification

Return
Informational

The following product notification applies to all currently supported versions of Change Auditor (7.0.x through 7.2). The issue described impacts auditing on domain controllers and member servers.

How does this affect me?

Change Auditor agents will stop auditing events after Microsoft introduces an upcoming change in Microsoft Defender’s default settings intended to block hackers' attempts to steal Windows credentials from the LSASS process. This will prevent the Change Auditor agent from accessing the LSASS process and will cause auditing to stop. Server agents deployed to domain controllers and member servers are impacted by this change. It does not affect workstation agents. After the update has been made by Microsoft, the Change Auditor agent will be impacted on agent restart.

For Change Auditor agent versions prior to 7.0.4: On agent restart, the agent may still connect to the coordinator and continue to run. However, it will lose the ability to integrate with the LSASS process will no longer audit events that require this integration. Auditing of Active Directory, Active Directory queries, Group Policy, File system, logon activity and local users and groups will stop; auditing of all other events will continue.

For Change Auditor agent versions 7.0.4 and later: On agent restart, the agent will recognize that it is unable to integrate with the LSASS process and will immediately shutdown and all event auditing will stop.

Background

To prevent threat actors from abusing LSASS memory dumps, Microsoft has security features that prevent access to the LSASS process.  One of these security features is the Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it.  This feature can lead to conflicts with drivers or applications, such as the Change Auditor agent.

As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default.  The rule, 'Block credential stealing from the Windows local security authority subsystem' prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.

You can read more about this setting in this article: Block credential stealing from the Windows local security authority subsystem

Workaround

You can choose to add an exception to the "Attack Surface Reduction Rule" which would allow the agent to access the LSASS process, or alternatively, you can disable the "Attack Surface Reduction Rule" rule entirely. 

Follow the steps outlined in the resolution section of this KB article: Change Auditor does not capture AD events, or the agent fails to start, after applying the Windows Security Baseline or enabling the Attack Surface Reduction Rule

We apologize for the inconvenience this issue may have caused and look forward to assisting you in the future.