Windows agent disconnect after application crash

[Mohamed ZAGHOUANI]

Hello wazuh community,

I have recently installed the wazuh agent (v4.2.5) on a windows server 2008 and I run it using a configuration from other windows agent (that works normally), but finally I got surprised that the agent disconnects automatically without any entries in the log file and I found that the service has got down (on the agent). Then, I found from the application eventchannel those two events after which the 'ossec agent disconnected' alert appears:

"Nom de l’application défaillante wazuh-agent.exe, version : 0.0.0.0, horodatage : 0x618ec557 Nom du module défaillant : msvcrt.dll, version : 7.0.7601.17744, horodatage : 0x4eeaf722 Code d’exception : 0xc0000005 Décalage d’erreur : 0x000143df ID du processus défaillant : 0x17a0 Heure de début de l’application défaillante : 0x01d859485690fe16 Chemin d’accès de l’application défaillante : C:\Program Files (x86)\ossec-agent\wazuh-agent.exe Chemin d’accès du module défaillant: C:\Windows\syswow64\msvcrt.dll ID de rapport : 029e2b7e-c544-11ec-8396-f8b1569c6b0b"

"Récipient d’erreurs , type 0 Nom d’événement : APPCRASH Réponse : Non disponible ID de CAB : 0 Signature du problème : P1 : wazuh-agent.exe P2 : 0.0.0.0 P3 : 618ec557 P4 : msvcrt.dll P5 : 7.0.7601.17744 P6 : 4eeaf722 P7 : c0000005 P8 : 000143df P9 : P10 : Fichiers joints : Ces fichiers sont peut-être disponibles ici : C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wazuh-agent.exe_3a1046faf4c9132145964204b435a941e2bd6c3_0e3155a9 Symbole d’analyse : Nouvelle recherche de la solution : 0 ID de rapport : 029e2b7e-c544-11ec-8396-f8b1569c6b0b Statut du rapport : 4"

These events mention that the agent application has crashed due to the 'msvcrt.dll' file which is affected.

I searched in the group for any case posing the same issue, and I found that it may be caused by the FIM module in older versions (large monitored directories or synchronization module issue) so I tried initially to disable the FIM module but then I got the same problem.

Would you please help me understand and resolve the issue ? I would be ready to feed you any further information

Regards,

Zaghouani Mohamed

[Jose Luis Carreras Marin]

Hello Mohamed ZAGHOUANI,

This problem could be related to the centralized configuration, docu. If this is your case, the problem is reported here in this issue:
#10234

It seems that some FIM configuration values were not being initialized. The patch is already implemented to be released in the next version of Wazuh 4.3.

I hope I have helped, please let me know if you have any comments and I will be happy to help you.
Regards

[Mohamed ZAGHOUANI]

Hello Jose,

Unfortunately, it's not the case because all the agent's configs are local and as I said I disabled the FIM module (locally) and the problem remained as well.

[Jose Luis Carreras Marin]

Hello Mohamed ZAGHOUANI,

I see, so you have made sure that in the agent.conf file of the manager there is no configuration? The functionality of the centralized configuration makes this agent.conf file overwrite the configuration on the ossec.conf of the agents themselves.

If all this has been checked, then the next step is to check the configuration you have used, could you show me the agent configuration file, ossec.conf? This way I will see if I can reproduce it and draw some conclusion or even open issue if there is no related one. Also, you mention that there are other agents that do work correctly with the same configuration, what is different about those agents? Any information you can find relevant to try to reproduce the error will be great for me.

Thank you very much, greetings!

[Mohamed ZAGHOUANI]

Hello Jose,

Those are the config files of the agent. As I know, If there's no config in agent.conf there's no overwrite on local config file

It's the first time that I install the wazuh agent on Windows Server 2008 R2 (already installed it on Windows 7,10, server 2016,2019 and works normally)

Regards.

[Jose Luis Carreras Marin]

Hello Mohamed,

I can't find a way to reproduce your error, with windows 2008 and version 4.2.5, using your same configuration. So there must be something we are missing.
Could you activate the debug mode of the agent, and check the log file?
To do so:

• Go to the internal configuration file, C:\Program Files (x86)\ossec-agent\internal_options.conf, modify the line:
  • windows.debug=0 to  windows.debug=2
• Restart Wazuh agent.
  
• Then, show me the log file: C:\Program Files (x86)\ossec-agent\ossec.log

Some relevant information should appear at the moment when the agent crashes. Any extra information would be helpful, thank you!

Regards

[Mohamed ZAGHOUANI]

Hello Jose,

I am sorry for that delay responding to your last message but I was taking my time doing some troubleshoots in order to feed you with some valuable information.

Before you have posted your last message, I decided to detect which wazuh module is causing the problem, so I disabled all and started by activating one by one and finally I realized that the responsible module is 'syscollector' because the crash occured after activating it and specifically at the moment when the syscollector scan started (not after the initial scan which occurs after restarting the agent). Here is the log from the agent (I forgot to activate the debug level):

1) After activating the syscollector module and restarting the agent:

2022/05/04 10:44:34 wazuh-agent: INFO: Received exit signal.
2022/05/04 10:44:34 wazuh-agent: INFO: Set pending exit signal.
2022/05/04 10:44:34 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2022/05/04 10:44:34 wazuh-agent: INFO: Exiting...
2022/05/04 10:44:34 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60
2022/05/04 10:44:34 wazuh-agent: INFO: (1410): Reading authentication keys file.
2022/05/04 10:44:34 wazuh-agent: INFO: (1350): Active response disabled.
2022/05/04 10:44:34 wazuh-agent: INFO: Using AES as encryption method.
2022/05/04 10:44:34 wazuh-agent: INFO: Trying to connect to server (x.x.x.x:1514/tcp).
2022/05/04 10:44:34 wazuh-agent: INFO: (6001): File integrity monitoring disabled.
2022/05/04 10:44:34 wazuh-agent: WARNING: The check_winaudit option is deprecated in favor of the SCA module.
2022/05/04 10:44:34 rootcheck: INFO: Started (pid: 11708).
2022/05/04 10:44:34 wazuh-agent: INFO: (4102): Connected to the server (x.x.x.x:1514/tcp).
2022/05/04 10:44:34 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/05/04 10:44:34 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2008 R2 Enterprise Edition (full) Service Pack 1 [Ver: 6.1.7601] - Wazuh v4.2.5).
2022/05/04 10:44:34 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2022/05/04 10:44:34 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/05/04 10:44:34 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/05/04 10:44:34 sca: INFO: Module started.
2022/05/04 10:44:34 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2022/05/04 10:44:34 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/04 10:44:34 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2022/05/04 10:44:34 sca: INFO: Starting Security Configuration Assessment scan.
2022/05/04 10:44:34 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2022/05/04 10:44:34 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/04 10:44:34 wazuh-agent: INFO: Started (pid: 11708).
2022/05/04 10:44:34 wazuh-modulesd:syscollector: INFO: Module started.
2022/05/04 10:44:34 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/04 10:44:38 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/04 10:44:38 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds.
2022/05/04 10:44:41 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/04 10:44:41 rootcheck: INFO: Starting rootcheck scan.
2022/05/04 10:44:46 rootcheck: INFO: Ending rootcheck scan.
2022/05/04 11:44:42 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/04 11:45:00 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/04 12:45:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/04 12:45:20 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/04 13:45:22 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/04 13:45:42 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/04 14:45:43 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/04 14:46:02 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/04 15:17:32 wazuh-agent: ERROR: Could not get message for (Application)

2) Until now the syscollector scan is running frequently and there's no crash, so I activated the active response module on the agent (As I said I have initially disabled all the modules) and again restarted the agent:

2022/05/04 15:31:17 wazuh-agent: INFO: Received exit signal.
2022/05/04 15:31:17 wazuh-agent: INFO: Set pending exit signal.
2022/05/04 15:31:17 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2022/05/04 15:31:17 wazuh-modulesd:syscollector: INFO: Module finished.
2022/05/04 15:31:17 wazuh-agent: INFO: Exiting...
2022/05/04 15:31:17 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60
2022/05/04 15:31:18 wazuh-agent: INFO: (1410): Reading authentication keys file.
2022/05/04 15:31:18 wazuh-agent: INFO: Started (pid: 10216).
2022/05/04 15:31:18 wazuh-agent: INFO: Using AES as encryption method.
2022/05/04 15:31:18 wazuh-agent: INFO: Trying to connect to server (x.x.x.x:1514/tcp).
2022/05/04 15:31:18 wazuh-agent: INFO: (6001): File integrity monitoring disabled.
2022/05/04 15:31:18 wazuh-agent: WARNING: The check_winaudit option is deprecated in favor of the SCA module.
2022/05/04 15:31:18 rootcheck: INFO: Started (pid: 10216).
2022/05/04 15:31:18 wazuh-agent: INFO: (4102): Connected to the server (x.x.x.x:1514/tcp).
2022/05/04 15:31:18 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/05/04 15:31:18 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2008 R2 Enterprise Edition (full) Service Pack 1 [Ver: 6.1.7601] - Wazuh v4.2.5).
2022/05/04 15:31:18 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2022/05/04 15:31:18 sca: INFO: Module started.
2022/05/04 15:31:18 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/05/04 15:31:18 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/05/04 15:31:18 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2022/05/04 15:31:18 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/04 15:31:18 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2022/05/04 15:31:18 sca: INFO: Starting Security Configuration Assessment scan.
2022/05/04 15:31:18 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2022/05/04 15:31:18 wazuh-modulesd:syscollector: INFO: Module started.
2022/05/04 15:31:18 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/04 15:31:18 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/04 15:31:18 wazuh-agent: INFO: Started (pid: 10216).
2022/05/04 15:31:19 rootcheck: INFO: Starting rootcheck scan.
2022/05/04 15:31:21 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/04 15:31:21 sca: INFO: Security Configuration Assessment scan finished. Duration: 3 seconds.
2022/05/04 15:31:24 rootcheck: INFO: Ending rootcheck scan.
2022/05/04 15:31:35 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/04 16:31:37 wazuh-modulesd:syscollector: INFO: Starting evaluation.

At that moment, the application error event has occured and the alerts appeared on wazuh as mentionned in the joined screenshot.

Note: the timestamp in the log file (2022/05/04 16:31:xx) corresponds to the timestamp on the wazuh manager (2022/05/04 15:46:xx).

Additionally, I have run the procdump process on the wazuh-agent.exe program (procdump -t wazuh) which creates a .dmp file when the application crashes and then I opened it using WinDbg debugging tool (I am not familiar with it) and I obtained this output:

FAULTING_IP:
msvcrt!strlen+c
757843df 8a01            mov     al,byte ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 757843df (msvcrt!strlen+0x0000000c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 04eb1043
Attempt to read from address 04eb1043

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  wazuh-agent.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - L

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - L

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  04eb1043

READ_ADDRESS:  04eb1043

FOLLOWUP_IP:
msvcrt!strlen+c
757843df 8a01            mov     al,byte ptr [ecx]

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  000027f8

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 61a90014 to 757843df

STACK_TEXT:  
030cf8e8 61a90014 04eb1043 00000000 04eb0048 msvcrt!strlen+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
030cf9e8 61a9679b 0249f1f4 67e27b60 030cfb08 sysinfo!ZNK7SysInfo15getSerialNumberB5cxx11Ev+0x624
030cfa78 67d1040c 0249f1f4 67e27b60 030cfb98 sysinfo!ZN7SysInfo8hardwareB5cxx11Ev+0x5b
030cfb08 67d12e8b 67e27b60 025b5f50 030cfb78 syscollector!ZN12Syscollector15getHardwareDataB5cxx11Ev+0x5c
030cfb98 67d14d6e 0139f568 025b5f50 030cfc08 syscollector!ZN12Syscollector12scanHardwareEv+0x16b
030cfc38 67d15382 00000000 67e27bb4 030cfca8 syscollector!ZN12Syscollector4scanEv+0x1de
030cfc8c 67d1550a 030cfc40 67e27b60 004c411c syscollector!ZN12Syscollector8syncLoopERSt11unique_lockISt5mutexE+0x122
030cfcc8 67d15aa2 030cfd60 030cff08 030cfed8 syscollector!ZN12Syscollector8syncLoopERSt11unique_lockISt5mutexE+0x2aa
00000000 00000000 00000000 00000000 00000000 syscollector!ZN12Syscollector4initERKSt10shared_ptrI8ISysInfoESt8functionIFvRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEESF_S5_IFv24syscollector_log_level_tSD_EESD_SD_SD_jbbbbbbbbbb+0x562


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  msvcrt!strlen+c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: msvcrt

IMAGE_NAME:  msvcrt.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4eeaf722

STACK_COMMAND:  ~10s; .ecxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_msvcrt.dll!strlen

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_msvcrt!strlen+c

Followup: MachineOwner

But if you like to analyse the .dmp yourself using another tool, you can find it in the attachement.

Finally, I hope all this information can help analyzing the problem.

Regards,

Mohamed Zaghouani

[Mohamed ZAGHOUANI]

Hello,

It is confirmed that the crash occurs after activating the active response module on the agent config, and accurately it occurs when the second scan (no problem during the initial scan which occurs at agent start) and this is the log output, with debug level is being set, for the start of the syscollector scan and after which there's no other output and the agent stopped:

2022/05/06 16:00:24 wazuh-modulesd:syscollector[11468] wm_syscollector.c:81 at wm_sys_log(): INFO: Starting evaluation.
2022/05/06 16:00:24 wazuh-modulesd:syscollector[11468] wm_syscollector.c:87 at wm_sys_log(): DEBUG: Starting hardware scan
2022/05/06 16:00:32 wazuh-agent[11468] state.c:67 at write_state(): DEBUG: Updating state file.
2022/05/06 16:00:32 wazuh-agent[11468] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/05/06 16:00:32 wazuh-agent[11468] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-agent ack '

 

Finally, I have a question, I was wondering that the agent was able to execute the active response 'wazuh-restart' while in its local config the module is disabled:

2022/05/05 17:24:28 active-response/bin/restart-wazuh.exe: Starting
2022/05/05 17:24:28 active-response/bin/restart-wazuh.exe: {"version":1,"origin":{"name":"","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{},"program":"restart-wazuh.exe"}}
2022/05/05 17:24:29 active-response/bin/restart-wazuh.exe: Ended

Is that active response config on the agent not remained availlable in the 4.2.5 version? or just the active response 'wazuh-restart' is forced on the agent?

Regards.

Zaghouani Mohamed

[Jose Luis Carreras Marin]

Hello Mohamed
Sorry for the late reply, let's see, I have some doubts regarding the information you have provided:

- You say that you have tried to activate one by one all the Wazuh modules, and you have commented that the crash occurs when activating syscollector, although later you say that it is when activating active-response. They are different modules and without interactions. Which of the two is the one that has caused the problem when activated?
As I understand it, the crash occurs in the syscollector scan, but only if active-directory is activated? Is that correct?

- I have been analyzing the procdump file, I can see that the error occurs in a strlen of the syscollector module, I am still investigating the possible causes. One possibility occurs to me, I have seen that in your first messages you have posted some events in french. Maybe it could be a problem with some special character, encoding issue.

- Your last question regarding active-directory, could it be that you have a centralized configuration in the manager? If so, this centralized configuration overwrites the local configuration of the agent.

Regards, Jose

[Mohamed ZAGHOUANI]

Hello Jose,

I am happy that you came back, I know that you were taking care of other issues.

First, the agent has crashed recently when starting the syscollector scan but this time the 'active-response' module was disabled, so the main cause of the problem is the syscollector scan, and so, let's forget about the 'active-response' module, there's no problem with it.

Then, I thought about disabling the syscollector scan options one by one, and I started, yesterday, by disabling the hardware scan option, until now there's no problem.

Concerning the events that I posted in french in the first message, they are from the Windows Application eventchannel. I use the french langage in all my  Windows environments and I don't think it's an encoding isssue because other Windows agents works properly.

Regards,

Mohamed Zaghouani

[Jose Luis Carreras Marin]

Hello Mohamed,
I still can't reproduce the crash. Let's see some things.
In one of the messages above, you showed some logs where syscollector successfully completed several scans in a row, and in another attempt later, the crash occurred in the second scan. What had changed?

On the other hand, indeed the problem is in the hardware option of the scan, as you can see in the trace, following the code, the problem is in the getSerialNumber function of syscollector. Can you run the following command on Windows server 2008, to see if there is any problem?

wmic bios get serialnumber

It is possible that the problem is in the raw SMBIOS firmware table. The crash occurs when we try to parse it. I am going to open an issue to analyze the issue more in depth. Any extra information you can provide will be appreciated!
Thank you very much
Regards

[Mohamed ZAGHOUANI]

Hello Jose,

Responding to the first question, what had changed is that I had activated the 'active-response' module in the agent's local config and then the syscollector scan at agent start has completed successfully and the second one has just started and didn't complete because the agent has crashed. But as I said in my last post the crash occured again while the 'active-response' module was disabled but this time it occured after several scans.

Finally, I have run the command and it returned the serial number without any problem, and it was a combination of 7 characters (letters and numbers)

Regards,

Zaghouani Mohamed

[Jose Luis Carreras Marin]

Hello Zaghouani Mohamed

I have been working on modifying the function that is causing the error, and I have added some lines to the code to display some table information messages.
If it is not too much trouble, could you try this custom Wazuh installer?
Link

Here I show you the change I make in the parseRawSmbios:



You just need to shut down Wazuh, install this new agent I send you, and keep the same configuration (just leave syscollector enabled with the hardware scan), it is also a good idea to disable the debug log messages, to see everything cleaner.
Then open a terminal and go to the path where Wazuh is installed, by default command:

• cd C:\Program Files (x86)\ossec-agent

Here, run the Wazuh agent with the command:

• wazuh-agent.exe start

You should see some messages similar to this:



And if the agent crashes, we can see the exact line and maybe we can find out why.
I hope we can solve the problem as soon as possible!!!

Regards!

[Mohamed ZAGHOUANI]

Hello Jose,

Thank you for the great job you are doing.

I did the installation of the agent with the same configuration and I got the newly added logs from the command line output during the syscollector scan but until this moment the application haven't yet crashed, which is not usual!!!

I verified the wazuh service is stopped, and the agent is already running and connected to the manager via the command line.

Is there any other differences between your version and the original one of the agent? because the agent seems to be running normally.

Finally, I will write again if there's new changes.

  Regards,

Zaghouani Mohamed

[Mohamed ZAGHOUANI]

Hello Jose,

Finally, the application crashed and I got this joined output from the command line.

The last line of the log is not completed (" New SMBIOS table line: '  ") so I think that there is an encoding problem with some characters because I see many strange characters from the output.

Regards,

Zaghouani Mohamed

[Jose Luis Carreras Marin]

Hello Zaghouani Mohamed

I have passed your logs and all the information to the team that runs the syscollector module to investigate the causes.
Thank you very much for all your help, we hope to have a solution as soon as possible.
I will let you know as soon as I can.

Regards

[Jose Luis Carreras Marin]

Hello again,
We have opened an issue to deal with the issue more specifically, here you can follow the whole process:

https://github.com/wazuh/wazuh/issues/13547

[Hanes Nahuel Sciarrone]

Hi ZAGHOUANI

I hope you are well. I'm attacking the issue regarding your report on Syscollector. I have tried to reproduce the problem in my environment with Windows 2008 but no luck. I would like to ask whether you can share me the complete log.txt running again the binary that Jose Luis Carrera built for you since you started Wazuh until it crashes. I have analyzed the log but I haven't seen the "First type." line in the file, it should appear when Syscollector finds the serial number of the motherboard.

Best regards

Hanes

[Hanes Nahuel Sciarrone]

Hi ZAGHOUANI

I hope you are well. We are facing the issue that you reported on Syscollector related to getting SMBIOS data. Unfortunately, we haven't been able to reproduce this issue in our environments so, we need your help to provide us with as much information as possible. If you could share with us the complete log.txt generated after re-running the binary that Jose Luis Carrera built from the time started Wazuh until it crashes will be of great help to generate a fix. I hope you understand the inconvenience caused and the Wazuh team thanks you for your collaboration with the product and your trust.

Best regards

Hanes

On Monday, May 16, 2022 at 7:23:15 AM UTC-3 Mohamed ZAGHOUANI wrote:

[Mohamed ZAGHOUANI]

Hello Hanes,

I am so sorry for not responding to your messages, actually I was so busy during the last weeks and forgot to check this case.

I have now relaunched the agent and I redirected the command line output to a file to get the whole log, and for the starting syscollector scan I got this joined log where I can't see the 'First type' lines. I will come back for the next scans logs until the agent crashes.

Regards,

Mohamed Zaghouani

[Hanes Nahuel Sciarrone]

Hi Mohamed ZAGHOUANI

I hope you are well and a bit calmer in your work. We have talked with my Team and decided to give you a special program that gets the SMBIOS Serial Number and saves the binary data of each run in a file called Output<index>.txt (The index is a number that is incremented at each run).  Of course, we give you the source code with GPL v2 License in case you want to check the security of the program. The program called SerialNumber.exe runs every 10 seconds and is very similar to Wazuh code. The data provided by these files will help us understand what data Wazuh collects from your hardware and validate if we are analyzing something wrong.

Source code: https://github.com/HanesSciarrone/SMBIOS.git

Executable: Google Drive

I have shared with you an executable. Please download it and run it in PowerShell or in the CMD console. I have successfully run the program with this command line in PowerShell

.\SerialNumber.exe >> console.txt

The console.txt file contains the serial number and the binary data in hexadecimal format.

If you can run this program and send us the output<index>.txt files generated in the same path as the binary, Wazuh and our team will thank you. We at Wazuh want to improve the program to help our users and you.

Best regards
Hanes

[Mohamed ZAGHOUANI]

Hello Hanes,

First let me share with you the whole log from the agent program proposed by Jose after it has crashed.

I have some questions about the execution of the SerialNumber.exe executable:

Should I run it while the agent is also running or not ?

Under which condition it would achieve, because you said that it runs every 10 seconds ?

Regards,

Mohamed Zaghouani

[Hanes Nahuel Sciarrone]

Hi Mohamed ZAGHOUANI

Thanks for the log, I will analyze the log. About your questions:

1. Should I run it while the agent is also running or not ? SerialNUmber.exe is independent of Wazuh agent, if you want to run together there will be no problem. 
2. Under which condition it would achieve, because you said that it runs every 10 seconds? I don't understand this question but if you mean about how it gets the information, it uses the Windows API to query the SMBIOS, the program doesn't need administrator permissions and is a single thread with a very simple 10 seconds delay,

Best regards
Hanes

[Mohamed ZAGHOUANI]

Hello Hanes,

About the second question, I mean how many output<index>.txt file should the program generate (during each run) to finally stop it and send you the files?

Regards,

Mohamed Zaghouani

[Hanes Nahuel Sciarrone]

Hi Mohamed ZAGHOUANI

Well, the main idea is to run the program until it crashes. The code inside the program is very similar to Wazuh so, it should crash at some point. If this never happens please send the latest output<index>.txt as well, if you can share with me the screenshot of the console with the string printed on it or if you ran the program with the same command that I sent you please send me the console.txt file.

Best regards

Hanes

[Mohamed ZAGHOUANI]

Hello Hanes,

When I run the program I got an error message saying that it is missing libwinpthread-1.dll on the machine.

How to process then?

Regards

Mohamed Zaghouani

[Hanes Nahuel Sciarrone]

Hi Mohamed ZAGHOUANI

I'm very sorry, I share you a folder with all the dll and the same binary. Please download them and put them in the same folder, then run the program.

Google Drive: Folder

Best regards

Hanes

[Mohamed ZAGHOUANI]

Hello Hanes,

I have run the program successfully during the last three days but it has never crashed, so I have decided to stop it and send you the console.txt and the latest output.txt files as joined below. I hope this would help you and certainly I will be available for further actions.

Regards,

Mohamed Zaghouani

[Hanes Nahuel Sciarrone]

Hi Mohamed ZAGHOUANI

Could you send me also the first 10 Output.txt files, I could detect a strange behavior but I want to check it. If you have all the output<index>.txt files it would be great if you could send them to me using the google drive I shared with you.

Best regards

Hanes

[Hanes Nahuel Sciarrone]

It is the link to the google drive

[Mohamed ZAGHOUANI]

Hello Hanes,

I have already shared all the output files using the google drive.

Regards,

Mohamed Zaghouani