question

WendellMoine-1543 avatar image
1 Vote"
WendellMoine-1543 asked nleva-4132 edited

windows xp clients unable to access file shares on 2012r2/2016/2019 servers after installing sysmon64

We recently deployed sysmon64 across our domain via group policy. We ran into issues where windows xp clients were no longer able to access file shares on newer windows file servers (2012r2/2016/2019) after sysmon 64 was installed on said file servers.
The windows XP clients run proprietary manufacturing equipment we cannot upgrade.
When running netstat on the file servers, we noticed that ONLY win xp clients would open a connection to file server on 445 and then after a few minutes that connection would go into CLOSE_WAIT status and win xp client would open another connection on 445 and then it would repeat until the file server was rebooted.
Newer versions of Windows clients did not have this issue; only Win XP.
We eventually determined that it had something to do with sysmondrv service. Once we forcefully stopped the sysmondrv service and uninstalled sysmon64 from the file servers; the issue went away.
NOTE: sysmon 32-bit or 64-bit was NEVER installed on any of the Win XP clients, only the file servers.

Our security team wants to redeploy sysmon64; but we need to understand why this issue occurred and how to prevent it first as it did affect or production manufacturing lines.


Our security team wants

windows-sysinternals-sysmon
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

nleva-4132 avatar image nleva-4132 ·

Exact same issue here running the latest Sysmon64 v13.33 on Server 2019. All the connections go into CLOSE_WAIT just like you stated. Previous versions of Sysmon had this issue as well. Did you ever find a solution?

Edit: This is the sysmon configuration we are using https://dl.blumira.com/agent/configurations/13.33_sysmonconfig.xml

0 Votes 0 ·

1 Answer

dstaulcu avatar image
0 Votes"
dstaulcu answered dstaulcu edited

You might be able to get by with limited symon functionality on the affected file server by employing a sysmon configuration which does not include logging dependent on file system drivers. I'd disable all collection levels at first to see if your problem goes away and then reintroduce one configuration at a time until problems come back in order to determine which configurations to avoid. I imagine you will need to avoid collection of some or all of the file-oriented collections such as FileCreateTime, FileCreate, FileDelete, and FileDeleteDetected.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.