Installing Sysmon application using SCCM

UserSan 6 Reputation points
2020-11-18T18:01:38.517+00:00

Dear Members,

I need you help on installing Sysmon application using SCCM. It is getting failed on installation. The logs shows that the issue is happening because of the detection method i used.

I used this detection method - File exists - C:\Windows\sysmon64.exe

Please some one help me on this.

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stephen Wyatt 11 Reputation points
    2020-12-05T18:34:43.88+00:00

    The above detection rule is wrong. You should be checking IF FILE EXIST C:\WINDOWS\SYSMON.EXE. Not sysmon64.exe.
    We internally check on both sysmon.exe and the sysmondrv file (I forget the name)--and we also check on the version #.

    2 people found this answer helpful.
    0 comments
  2. UserSan 6 Reputation points
    2020-11-20T08:30:36.107+00:00

    Dear TuanTrieuu-1005,
    Thaks for the reply. While checking SCCM appdiscovery.log, iam getting the blow log.

    <![LOG[Entering ExecQueryAsync for query "select * from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b" AND Revision = 6)"]LOG]!><time="16:26:59.552-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:411">
    <![LOG[ Performing detection of app deployment type Sysinternals Sysmon(ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, revision 6) for system.]LOG]!><time="16:26:59.554-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:2128">
    <![LOG[+++ Application not discovered. [AppDT Id: ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, Revision: 6]]LOG]!><time="16:26:59.566-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="localapphandler.cpp:291">
    <![LOG[+++ Did not detect app deployment type Sysinternals Sysmon(ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, revision 6) for system.]LOG]!><time="16:26:59.566-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:545">
    <![LOG[ ActionType - Install will use Content Id: Content_7cd603ff-a887-4b63-87b2-066c41f4299f + Content Version: 1 for AppDT "Sysinternals Sysmon" [ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b], Revision - 6]LOG]!><time="16:26:59.807-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:1548">

    Please help.

    1 person found this answer helpful.
    0 comments
  3. Tuan Trieu 1 Reputation point
    2020-11-20T06:21:57.767+00:00

    @SanuMundathil-6605 Could you please upload the logs or screenshot of error message? Also you can follow this guide to debug in client side!

    0 comments
  4. Tuan Trieu 1 Reputation point
    2020-11-23T22:18:34.023+00:00

    @SanuMundathil-6605 could you please attach all CCM Logs:

    AppDiscovery.log
    AppIntentEval.log
    AppDiscovery.log
    CAS.log
    ContentTransferManager.log
    DataTransferService.log
    ContentTransferManager.log
    CAS.log
    AppEnforce.log
    AppIntentEval.log

    0 comments
  5. Leonid Zubchevsky 0 Reputation points
    2024-01-19T05:48:59.96+00:00

    Добрый день, для вашего удобства

    установка программы: Sysmon64.exe -i -accepteula

    обнаружение программы:

    1. registry: HKLM\SYSTEM\CurrentControlSet\Services\Sysmon64 Value: ImagePath
    2. c:\windows\Sysmon64.exe

    удаление программы: Sysmon64.exe -u

    тоже самое в картинках:

    установка удалениеUser's image

    обнаружение программы: User's image

    User's image

    0 comments