Environment
- CBC Sensor: Any Windows version
- CBC Backend: Any version
- ControlUP agent: 8.6.5.427, likely other versions also.
- Microsoft Windows: 10.x, 11.x, Server 2016, 2019
Symptoms
- BSOD / crashing appears random.
- CBC's ctifile.sys often referenced in the crash analysis report.
- Sensor's Confer.log contains Tamper events referencing the ControlUP agent "cuagent.exe":
09/20/22 12:08:13.107: 2290 SUCCESS PSCRULES: Pid[5760-133081632507977484-0] (c:\program files\smart-x\controlupagent\version 8.6.5.427\cuagent.exe) sha256:0x5211E75FBB9180102D34EA9A374595184916A1B0922DB59F906C515D9390628B ProcessTags(Cb:Psc:EnabledNonDefaultEtwLogging,Cb:Sensor:ProcessClassified,Cb:Sensor:ProcessDiscovered) Op:OPEN_PROCESS_HANDLE OperationTags(Cb:Defense:Tamper:MITRE_T1003_001_LSASS_MEMORY,Cb:Defense:Tamper:MITRE_T1003_OS_CREDENTIAL_DUMP) TargetType:PROCESS Pid[1852-133081632468523712-0] (c:\windows\system32\lsass.exe) TargetHash(0xE69356111240657E6435EDF2E3A4BBAC9C89957EF2D34FC620B8B7DBF564A862) Signature(0) was:Block by policy:1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D rev:122 rule:D4B4B2BA-F30A-4A73-8EDE-7F78D5823393 (Block Applications Requesting PROCESS_VM_READ or DUP_PROCESS_HANDLE from lsass.exe) Matched[2 rules (2 terminal)] Destination[3] EventSize[9661 bytes]
Cause
This is a conflict with the CBC Windows sensor and ControlUP agent.
Resolution
According to one site, "Disabling the RemoteDX component seems to have resolved the issue."
Related Content
