MS Windows Security can prohibit the OSSEC agent
26 views
Skip to first unread message
lapin noel
Jan 29, 2021, 6:39:26 AM1/29/21
to ossec-list
I'm afraid there is the same info, but I couldn't find one in short browsing, so I post here.
When MS Windows Security/Defender(MSWS) validates heap integrity, the agent crashes.
And when MSWS does not validate, the agent runs without an error.
And when MSWS does not validate, the agent runs without an error.
The agent is run as admin.
The MSWS settings are the following.
In "App & browser control", in "Exploit protection settings", the "System settings" are all set as "On by default".
Where the "System settings" are: Control flow, Data Execution, Force randomization, Radomize memory, High-entropy, Validate exception, Validate heap.
In "Program settings", one program is added to customize.
The only customized program is C:/Program Files (x86)/ossec-agent/win32ui.exe.
By "Edit", many settings can be selected by square checkboxes.
Where only one check box is selected - "Validate heap integrity".
The default system settings are "On" by the "System settings" stated above.
When the slide button is left-side "Off", win32ui.exe runs without an error.
The normal agent window appears.
When the slide button is right-side "On", win32ui.exe crashes.
MS Diagnostic Data Viewer reports as follows.
(---
win32ui.exe
Description
Faulting Application Path: C:\Program Files (x86)\ossec-agent\win32ui.exe
Creation Time: 1/29/2021 5:20:39 PM
Problem: Stopped working
Status: Report sent
Problem signature
Problem Event Name: APPCRASH
Application Name: win32ui.exe
Application Version: 0.0.0.0
Application Timestamp: 5e6e6eec
Fault Module Name: StackHash_cee3
Fault Module Version: 10.0.19041.662
Fault Module Timestamp: 5f641e44
Exception Code: c0000374
Exception Offset: PCH_A5_FROM_ntdll+0x00071BDC
Extra information about the problem
Bucket ID: e0bfa8051f9ebad1ac54b45abee71e8d (2041454832948551309)
---)
Windows 10 Home, version 20H2, build 19042.746
ossec-agent-win32-3.6.0-12032.exe 1,604,775 bytes
win32ui.exe 171,709 bytes
The normal agent window appears.
When the slide button is right-side "On", win32ui.exe crashes.
MS Diagnostic Data Viewer reports as follows.
(---
win32ui.exe
Description
Faulting Application Path: C:\Program Files (x86)\ossec-agent\win32ui.exe
Creation Time: 1/29/2021 5:20:39 PM
Problem: Stopped working
Status: Report sent
Problem signature
Problem Event Name: APPCRASH
Application Name: win32ui.exe
Application Version: 0.0.0.0
Application Timestamp: 5e6e6eec
Fault Module Name: StackHash_cee3
Fault Module Version: 10.0.19041.662
Fault Module Timestamp: 5f641e44
Exception Code: c0000374
Exception Offset: PCH_A5_FROM_ntdll+0x00071BDC
Extra information about the problem
Bucket ID: e0bfa8051f9ebad1ac54b45abee71e8d (2041454832948551309)
---)
Windows 10 Home, version 20H2, build 19042.746
ossec-agent-win32-3.6.0-12032.exe 1,604,775 bytes
win32ui.exe 171,709 bytes
dan (ddp)
Jan 29, 2021, 10:46:08 AM1/29/21
to ossec...@googlegroups.com
I've seen similar crashes, but don't have a reliable windows machine
to try and debug them (and I don't know how to do that on Windows).
It's just been the gui interface that didn't work for me though, the
agent itself ran if I configured it manually.
Dan
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/482e6e57-5abb-40c8-aa04-acd695c7f30bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages