Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Agent Crashing or Disconnecting due BeyondTrust is Attempting to Inject privman32.dll file

App Control: Agent Crashing or Disconnecting due BeyondTrust is Attempting to Inject privman32.dll file

Environment

  • App Control Agent (formerly CB Protection): All Supported Versions
  • BeyondTrust Software

Symptoms

  • Event log has EventID: 7023, The Cb Protection Agent service terminated with the following error: %%-1073741819
  • dascli status - returns 'Cannot connect to user agent'

Cause

BeyondTrust is attempting to inject privman32.dll into the Parity Agent, and Tamper Protection stops the modification, but the action still causes the agent to crash and restart itself. 

Resolution

  1. Exclude App Control directories via Anti-Virus Exclusions for Agent (Windows)
  2. For Windows 7 through Windows 10 endpoints 
  • Go to following Beyond Trust 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BeyondTrust\PBDesktops
  • Add a registry key expandable string value entered, named "ExcludedApps", with the following information added to the Data tab:
C:\Windows\System32\drivers\Parity.sys;C:\ProgramData\Bit9\Parity Agent\;C:\Program Files\Bit9\Parity Agent\;C:\Program Files (x86)\Bit9\Parity Agent\;C:\Program Files\Bit9\Parity Agent\Parity.exe;C:\Program Files (x86)\Bit9\Parity Agent\Parity.exe;C:\Program Files\Bit9\Parity Agent\Crawler.exe;C:\Program Files (x86)\Bit9\Parity Agent\Crawler.exe;C:\Program Files\Bit9\Parity Agent\Dascli.exe;C:\Program Files (x86)\Bit9\Parity Agent\Dascli.exe;C:\Program Files\Bit9\ParityAgent\Notifier.exe;C:\Program Files (x86)\Bit9\Parity Agent\Notifier.exe;C:\Program Files\Bit9\Parity Agent\Timedoverride.exe;C:\Program Files (x86)\Bit9\Parity Agent\Timedoverride.exe;
  1. For Windows OS prior to 7:
  • Replace C:\ProgramData\Bit9\Parity Agent\ with C:\Documents and Settings\All users\Application Data\Bit9\Parity Agent\ in the values listed above.
  1. To complete the changes, a reboot of the endpoint is advised.

Additional Notes

  • As a general rule for any registry modification, it is highly recommended to perform a backup of the registry prior to any changes
  • Reboot will be recommended for full effect

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-09-2020
Views:
1063
Contributors