question

UserSan avatar image
0 Votes"
UserSan asked StephenWyatt-7292 answered

Installing Sysmon application using SCCM

Dear Members,

I need you help on installing Sysmon application using SCCM. It is getting failed on installation. The logs shows that the issue is happening because of the detection method i used.

I used this detection method - File exists - C:\Windows\sysmon64.exe

Please some one help me on this.

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TuanTrieu-1995 avatar image
0 Votes"
TuanTrieu-1995 answered

@SanuMundathil-6605 Could you please upload the logs or screenshot of error message? Also you can follow this guide to debug in client side!


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

UserSan avatar image
1 Vote"
UserSan answered

Dear TuanTrieuu-1005,
Thaks for the reply. While checking SCCM appdiscovery.log, iam getting the blow log.

<![LOG[Entering ExecQueryAsync for query "select * from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b" AND Revision = 6)"]LOG]!><time="16:26:59.552-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:411">
<![LOG[ Performing detection of app deployment type Sysinternals Sysmon(ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, revision 6) for system.]LOG]!><time="16:26:59.554-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:2128">
<![LOG[+++ Application not discovered. [AppDT Id: ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, Revision: 6]]LOG]!><time="16:26:59.566-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="localapphandler.cpp:291">
<![LOG[+++ Did not detect app deployment type Sysinternals Sysmon(ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b, revision 6) for system.]LOG]!><time="16:26:59.566-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:545">
<![LOG[ ActionType - Install will use Content Id: Content_7cd603ff-a887-4b63-87b2-066c41f4299f + Content Version: 1 for AppDT "Sysinternals Sysmon" [ScopeId_DE3FDE7B-BE29-4BD1-B7D1-6C7BA5C098AA/DeploymentType_80296fc5-ca27-4e74-be08-027b11dd5b9b], Revision - 6]LOG]!><time="16:26:59.807-180" date="11-11-2020" component="AppDiscovery" context="" type="1" thread="10460" file="appprovider.cpp:1548">

Please help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TuanTrieu-1995 avatar image
0 Votes"
TuanTrieu-1995 answered

@SanuMundathil-6605 could you please attach all CCM Logs:

AppDiscovery.log
AppIntentEval.log
AppDiscovery.log
CAS.log
ContentTransferManager.log
DataTransferService.log
ContentTransferManager.log
CAS.log
AppEnforce.log
AppIntentEval.log




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephenWyatt-7292 avatar image
2 Votes"
StephenWyatt-7292 answered

The above detection rule is wrong. You should be checking IF FILE EXIST C:\WINDOWS\SYSMON.EXE. Not sysmon64.exe.
We internally check on both sysmon.exe and the sysmondrv file (I forget the name)--and we also check on the version #.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.