none
Sysmon64 (version 11.0) causing lock on files RRS feed

  • Question

  • We run an application called Academy and have been testing out using Sysmon64 to collect events etc.

    We are finding that when it is installed on the server we are getting file locks being caused which are not present when Sysmon has been uninstalled.

    I have configured Sysmon to exclude the forwarding of events created by those processes, but my understanding about the config file is that it is a way to filer in/out those events of interest and that Sysmon has already looked at and captured the data.

    Is it possible to exclude Sysmon from even monitoring a folder or process, just like you can with most anit-virus/anit-malware programes ?

    Without that ability we will have to remove it from some of our servers.

    Regards

     
    Thursday, June 4, 2020 3:37 PM

All replies

  • Hi Steve

    your hypothesis about Symon capturing the data prior to filtering is with one or two exceptions correct.  In most cases events are collected then filtered at a later stage in the pipeline.

    It may just be one feature that is causing the issue (FileStreamHash, FileCreate or FileDelete all filter filesystem events). Could you give me an example of what files/folders/volumes are locked and what events you are monitoring in your configuration file?

    Even better,  if you have a procmon log that shows an example of the lock that you would be willing to share with us  along with a copy of your config file could you contact me offline at syssite@microsoft.com and I would be happy to take a look for you.

    MarkC(MSFT)

    Friday, June 5, 2020 8:13 AM
  • Thanks for the reply Mark.

    I have tried testing with the Sysmon64 service stopped and disabled, but still get the error. When I uninstall Sysmon the error goes away.

    This is an example message that we get from the Academy application's error.log file:-

    open() failed with operating system error 32 (The process cannot access the file because it is being used by another process.)
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2f.c:1385           ]: Fri Jun 05 11:58:15 2020 E_DM9004_BAD_FILE_OPEN Disk file open error on database:iidbdb table:iiuser pathname:G:\Ingres10S\ingres\data\default\iidbdb filename:aaaaaacm.t00
    dilru.c:951  open() failed with operating system error 32 (The process cannot access the file because it is being used by another process.)
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2f.c:1393           ]: Fri Jun 05 11:58:15 2020 E_DM923F_DM2F_OPEN_ERROR Error occurred opening a file for a table.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2f.c:735            ]: Fri Jun 05 11:58:15 2020 E_DM9336_DM2F_BUILD_ERROR Error building a File Control Block.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2t.c:14280          ]: Fri Jun 05 11:58:15 2020 E_DM9C5B_DM2T_OPEN_TABIO Error occurred opening a Table Control I/O Block.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2t.c:12112          ]: Fri Jun 05 11:58:15 2020 E_DM9C8B_DM2T_TBL_INFO An error occurred while attempting to build the Table Control Block for table (44,0) in database iidbdb.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2t.c:12113          ]: Fri Jun 05 11:58:15 2020 E_DM9C89_DM2T_BUILD_TCB An error occurred while building a Table Control Block for a table.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2t.c:4183           ]: Fri Jun 05 11:58:15 2020 E_DM9C8A_DM2T_FIX_TCB An error occurred while trying to locate and/or build the Table Control Block for a table.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, dm2t.c:3006           ]: Fri Jun 05 11:58:15 2020 E_DM9276_TBL_OPEN Error occurred opening a table.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, qeuq.c:1012           ]: Fri Jun 05 11:58:15 2020 E_DM008F_ERROR_OPENING_TABLE Error opening a table.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, qeuq.c:1012           ]: Fri Jun 05 11:58:15 2020 E_QE0081_ERROR_OPENING_TABLE Error opening a table.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, scsinit.c:6542        ]: Fri Jun 05 11:58:15 2020 E_US000A iiuser table does not exist.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, qeuq.c:1012           ]: Fri Jun 05 11:58:15 2020 E_QE0081_ERROR_OPENING_TABLE Error opening a table.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, qeuq.c:1012           ]: Fri Jun 05 11:58:15 2020 E_US000A iiuser table does not exist.
    MYCOMPUTERNAME    ::[TX\INGRES\1cf0    , 7408      ,  000000003772cc00, scsinit.c:4398        ]: Fri Jun 05 11:58:15 2020 E_SC0123_SESSION_INITIATE Error initiating session.

    We are trying to implement the NCSC Logging Made Easy system for monitoring which uses Sysmon on the client side. The installation instructions are here https://github.com/ukncsc/lme.

    It uses the Sysmon config from SwiftOnSecurity found here https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml 

    I will test removing the FileStreamHash and FileCreate sections and see if that makes a difference.

    The only changes to the .XML file I have made have been to try and exclude the folders and processes used by the Academy application.

    I've also just seen another post https://social.technet.microsoft.com/Forums/en-US/db9382bb-6112-4a32-80be-f000bbb88acb/sysmon-on-windows-server-causing-delays-to-open-office-files?forum=miscutils that is similar, so may also try Sysmon v10.42 as well.

    Regards

    Steve


    Friday, June 5, 2020 12:24 PM
  • I have tested today with removing both the FileStreamHash and FileCreate sections from the .XML file, and can confirm that the issue does not happen.

    I then added back the FileStreamHash section and tested and that did not cause the issue.

    Adding the FileCreate section back and the issue comes back.

    The section is as follows:- 

    <!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
    <!--EVENT 11: "File created"-->
    <!--NOTE: Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
    <!--NOTE: You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->

    <!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
    <RuleGroup name="" groupRelation="or">
    <FileCreate onmatch="include">
    <TargetFilename name="T1023" condition="contains">\Start Menu</TargetFilename> <!--Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ] -->
    <TargetFilename name="T1165" condition="contains">\Startup\</TargetFilename> <!--Microsoft:Changes to user's auto-launched files and shortcuts-->
    <TargetFilename name="OutlookAttachment" condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
    <TargetFilename name="Downloads" condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
    <TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
    <TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
    <TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
    <TargetFilename condition="end with">.chm</TargetFilename>
    <TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
    <TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
    <TargetFilename name="T1176" condition="end with">.crx</TargetFilename> <!--Chrome extension-->
    <TargetFilename condition="end with">.dmp</TargetFilename> <!--Process dumps [ (fr) http://blog.gentilkiwi.com/securite/mimikatz/minidump ] -->
    <TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
    <TargetFilename name="DLL" condition="end with">.dll</TargetFilename> <!--Microsoft:Office:Word: Macro-->
    <TargetFilename name="EXE" condition="end with">.exe</TargetFilename> <!--Executable-->
    <TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ]  -->
    <TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets-->
    <TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets-->
    <TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] -->
    <TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
    <TargetFilename condition="end with">.job</TargetFilename> <!--Scheduled task-->
    <TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
    <TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
    <TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
    <TargetFilename condition="end with">.scr</TargetFilename> <!--System driver files-->
    <TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
    <TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
    <TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
    <TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
    <TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
    <TargetFilename name="DefaultUserModified" condition="begin with">C:\Users\Default</TargetFilename> <!--Windows: Changes to default user profile-->
    <TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
    <TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
    <TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
    <TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
    <TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
    <TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
    <TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
    <TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
    <TargetFilename name="T1053" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
    <TargetFilename name="T1053" condition="begin with">C:\Windows\system32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
    <TargetFilename name="T1053" condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
    <Image condition="begin with">\Device\HarddiskVolumeShadowCopy</Image> <!--Nothing should be executing from VSC | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ] -->
    <!--Windows application compatibility-->
    <TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
    <TargetFilename condition="contains">VirtualStore</TargetFilename> <!--Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ] -->
    <!--Exploitable file names-->
    <TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
    <TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
    <TargetFilename condition="end with">.rtf</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
    </FileCreate>
    </RuleGroup>

    <RuleGroup name="" groupRelation="or">
    <FileCreate onmatch="exclude">
    <!--SECTION: Academy-->

    <!--SECTION: Microsoft-->
    <Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
    <!--SECTION: Microsoft:Office:Click2Run-->
    <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
    <!--SECTION: Windows-->
    <Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
    <Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Windows: Windows 10 app, creates tons of cache files-->
    <Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Windows: WMI Performance updates-->
    <Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Windows: Network file syncing-->
    <TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Windows: Temp files by DrvInst.exe-->
    <TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename> <!-- Windows: Created in wbem by WMIADAP.exe-->
    <TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Windows:Installer: Ignore MSI installer files caching-->
    <!--SECTION: Windows:Updates-->
    <TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename> <!-- Windows: Feature updates containing lots of .exe and .sys-->
    <Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image> <!-- Windows: Windows update-->
    </FileCreate>
    </RuleGroup>

    Will now do some testing with version 10.42

    Regards

    Steve

    Friday, June 5, 2020 1:27 PM
  • I've tested with v10.42 and it works fine with that version, however I've descided to keep with V11.0 for now and strip out the FileCreate config for now until a fix is found.

    Regards

    Steve

    Friday, June 5, 2020 4:31 PM
  • Hi Steve

    we resolved an issue for Sysmon 11.10 where Sysmon was extraneously opening a file when FileDelete, FileCreate or FileCreateStreamHash are enabled and which may resolve your issue.

    We are intending to publish Sysmon 11.10 imminently but if you would like to trial this ahead of the official publication please contact me at syssite@microsoft.com and I can make it available to you

    MarkC(MSFT)

    Friday, June 19, 2020 9:48 AM