Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Cannot Delete User Profile

Endpoint Standard: Cannot Delete User Profile

Environment

  • Endpoint Standard Sensor: 3.x and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • When attempting to delete a user profile using the System ~ User Profiles dialog box an error message is displayed "Profile not deleted completely. Error - The RPC Server is unavailable"
  • Profile can be deleted with the sensor in bypass

Cause

A setting in the policy is blocking ransomware-like behavior from the services removing the account (svchost.exe)

Resolution

  • The blocking policy will need to be refined to allow the user files to be deleted
  • Setting the sensor to bypass will allow the user to be removed

Additional Notes

A terminate policy for ** performs ransomware-like behavior will block any processes touching canary files including deleting a user account

Related Content


Was this article helpful? Yes No
0% helpful (0/3)
Article Information
Author:
Creation Date:
‎01-25-2022
Views:
1289
Contributors