Troubleshooting Errors

When a memory snapshot, or image, is uploaded to Project Freta, the following general process occurs:

  1. The image is parsed based on its file format - we current support these four
  2. The kernel is identified - that is, whether it's RedHat, Ubuntu, Kali, etc., and which version
  3. The kernel is mapped - we extract the report data consisting of the system objects enumeration and malware inference

This is a complex process, and sometimes things can break. The following are the four primary error conditions that can during the Freta analysis workflow:

  • Parsing error
  • Kernel not found
  • Kernel not supported
  • Kernel not mapped

Each of these error conditions is detailed in the following sections.


Parsing Error

Portal error message: unable to parse memory snapshot due to file format issues

This error condition means that the image parser does not recognize the file format.

This can be caused by a failed file upload (which is rare) or an otherwise corrupted file, or a problem with our parsing engines.

To troubleshoot: please ensure the file format is supported and the file is valid, and try uploading a second time. If you continue to get this error though you believe the file is valid, please contact us at project-freta@microsoft.com and include the image name and a description of how you captured it, and we will investigate.


Kernel not found

Portal error message: unable to identify a kernel in memory snapshot

This error condition can occur if the uploaded .raw file is not actually a memory snapshot, or if the uploaded file, while a valid image of one of the other supported formats, doesn't appear to contain a valid Linux kernel.

That is, we were able to parse the image but our heuristics were unable to locate a valid kernel.

To troubleshoot: please try capturing the image again and resubmitting. If you continue to get this error, please contact us at project-freta@microsoft.com and include the image name and a description of how you captured it, and we will investigate.


Kernel not supported

Portal error message: unsupported kernel: {kernel}

This error condition means we parsed the uploaded memory snapshot and identified the kernel, but we do not yet support it.

Though we do support a large number of Linux kernels, we do not support all of them.

To troubleshoot: if the kernel in your image is publicly available, please contact us at project-freta@microsoft.com and let us know the kernel flavor and version in question, and we will consider adding support for it. Note we do not support privately-built kernels at this time.


Kernel not mapped

Portal error message: unable to map found kernel: {kernel}

This error condition means we successfully parsed the image and identified the kernel, but there was a problem during the mapping phase.

This could be caused by a change in the kernel version that we don't support, or that there was significant memory churn during the image's capture interval.

To troubleshoot: please try capturing the image again, if possible while the target virtual machine is idle or near idle, and resubmit. If you continue to get this error even with the new captures image, please contact us at project-freta@microsoft.com and include the image name and a description of how you captured it, and we will investigate.