Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Windows random BSOD / crashing when CBC Windows sensor installed with ControlUP agent

Carbon Black Cloud: Windows random BSOD / crashing when CBC Windows sensor installed with ControlUP agent

Environment

  • CBC Sensor: Any Windows version
  • CBC Backend: Any version
  • ControlUP agent: 8.6.5.427, likely other versions also.
  • Microsoft Windows: 10.x, 11.x, Server 2016, 2019

Symptoms

  1. BSOD / crashing appears random.
  2. CBC's ctifile.sys often referenced in the crash analysis report.
  3. Sensor's Confer.log contains Tamper events referencing the ControlUP agent "cuagent.exe":
09/20/22 12:08:13.107: 2290     SUCCESS   PSCRULES: Pid[5760-133081632507977484-0] (c:\program files\smart-x\controlupagent\version 8.6.5.427\cuagent.exe) sha256:0x5211E75FBB9180102D34EA9A374595184916A1B0922DB59F906C515D9390628B ProcessTags(Cb:Psc:EnabledNonDefaultEtwLogging,Cb:Sensor:ProcessClassified,Cb:Sensor:ProcessDiscovered) Op:OPEN_PROCESS_HANDLE OperationTags(Cb:Defense:Tamper:MITRE_T1003_001_LSASS_MEMORY,Cb:Defense:Tamper:MITRE_T1003_OS_CREDENTIAL_DUMP) TargetType:PROCESS Pid[1852-133081632468523712-0] (c:\windows\system32\lsass.exe) TargetHash(0xE69356111240657E6435EDF2E3A4BBAC9C89957EF2D34FC620B8B7DBF564A862) Signature(0) was:Block by policy:1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D rev:122 rule:D4B4B2BA-F30A-4A73-8EDE-7F78D5823393 (Block Applications Requesting PROCESS_VM_READ or DUP_PROCESS_HANDLE from lsass.exe) Matched[2 rules (2 terminal)] Destination[3] EventSize[9661 bytes]
 

Cause

This is a conflict with the CBC Windows sensor and ControlUP agent.

Resolution

According to one site, "Disabling the RemoteDX component seems to have resolved the issue."

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-09-2022
Views:
216
Contributors