none
Sysmon 9.0 does not seem to honor configuration RRS feed

  • Question

  • Hi,

    First and foremost: thank you for such a great product! We really do appreciate the effort put down by the Sysmon team to maintain this awesome piece of software.

    This is our current configuration (retrieved using the Sysmon -c command on a Sysmon 9.0 system):
    Current configuration:
     - Service name:                  Sysmon64
     - Driver name:                   SysmonDrv
     - HashingAlgorithms:             MD5,SHA256
     - Network connection:            disabled
     - Image loading:                 disabled
     - CRL checking:                  enabled
     - Process Access:                disabled
    ule configuration (version 0.00):
     - ProcessCreate                      onmatch: exclude   combine rules using 'Or'
        ...
        Image                          filter: begin with   value: 'C:\Program Files\Windows Defender'    
        (Lots of lines removed )
        ...
     - FileCreateTime                     onmatch: include   combine rules using 'Or'
     - NetworkConnect                     onmatch: include   combine rules using 'Or'
     - ProcessTerminate                   onmatch: include   combine rules using 'Or'
     - DriverLoad                         onmatch: include   combine rules using 'Or'
     - ImageLoad                          onmatch: include   combine rules using 'Or'
     - CreateRemoteThread                 onmatch: include   combine rules using 'Or'
     - RawAccessRead                      onmatch: include   combine rules using 'Or'
     - ProcessAccess                      onmatch: include   combine rules using 'Or'
     - FileCreate                         onmatch: include   combine rules using 'Or'
     - RegistryEvent                      onmatch: include   combine rules using 'Or'
     - RegistryEvent                      onmatch: include   combine rules using 'Or'
     - RegistryEvent                      onmatch: include   combine rules using 'Or'
     - FileCreateStreamHash               onmatch: include   combine rules using 'Or'
     - FileCreateStreamHash               onmatch: exclude   combine rules using 'Or'
     - PipeEvent                          onmatch: include   combine rules using 'Or'
     - PipeEvent                          onmatch: include   combine rules using 'Or'
     - WmiEvent                           onmatch: include   combine rules using 'Or'
     - WmiEvent                           onmatch: include   combine rules using 'Or'
     - WmiEvent                           onmatch: include   combine rules using 'Or'

    This configuration words perfect using Sysmon 8.04, only ProcessCreate events are generated, which does not match any of the white list rules. This is by design, as we have to limit the number of events generated. However, when the same configuration is used in combination of 9.0, Sysmon seem to create all events, just as if we did not have any configuration at all! In other words, the EventLog is flooded with RegsitryEvents and other verbose events.

    Sysmon seem to be able to load the configuration without any issues:
    System Monitor v9.0 - System activity monitor
    Copyright (C) 2014-2019 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com
    
    Loading configuration file with schema version 4.00
    Sysmon schema version: 4.20
    Configuration file validated.
    Configuration updated.

    Are you aware of any known issues which can explain this? Or did the configuration syntax change so that our configuration needs to be rewritten in a 9.0 format?

    Best regards,


    Monday, March 4, 2019 10:50 AM

All replies