Environment
- App Control Agent (formerly CB Protection): All Supported Versions
- BeyondTrust Software
Symptoms
- Event log has EventID: 7023, The Cb Protection Agent service terminated with the following error: %%-1073741819
- dascli status - returns 'Cannot connect to user agent'
Cause
BeyondTrust is attempting to inject privman32.dll into the Parity Agent, and Tamper Protection stops the modification, but the action still causes the agent to crash and restart itself.
Resolution
- Exclude App Control directories via Anti-Virus Exclusions for Agent (Windows)
- For Windows 7 through Windows 10 endpoints
- Go to following Beyond Trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BeyondTrust\PBDesktops
- Add a registry key expandable string value entered, named "ExcludedApps", with the following information added to the Data tab:
|
C:\Windows\System32\drivers\Parity.sys;C:\ProgramData\Bit9\Parity Agent\;C:\Program Files\Bit9\Parity Agent\;C:\Program Files (x86)\Bit9\Parity Agent\;C:\Program Files\Bit9\Parity Agent\Parity.exe;C:\Program Files (x86)\Bit9\Parity Agent\Parity.exe;C:\Program Files\Bit9\Parity Agent\Crawler.exe;C:\Program Files (x86)\Bit9\Parity Agent\Crawler.exe;C:\Program Files\Bit9\Parity Agent\Dascli.exe;C:\Program Files (x86)\Bit9\Parity Agent\Dascli.exe;C:\Program Files\Bit9\ParityAgent\Notifier.exe;C:\Program Files (x86)\Bit9\Parity Agent\Notifier.exe;C:\Program Files\Bit9\Parity Agent\Timedoverride.exe;C:\Program Files (x86)\Bit9\Parity Agent\Timedoverride.exe;
|
- For Windows OS prior to 7:
- Replace C:\ProgramData\Bit9\Parity Agent\ with C:\Documents and Settings\All users\Application Data\Bit9\Parity Agent\ in the values listed above.
- To complete the changes, a reboot of the endpoint is advised.
Additional Notes
- As a general rule for any registry modification, it is highly recommended to perform a backup of the registry prior to any changes
- Reboot will be recommended for full effect
Related Content
