none
Sysmon 10.0.4.1 and Zoom.exe has a 20% increase in CPU when sharing your screen... why? RRS feed

  • Question

  • Hello Hello,

    Currently I am using Sysmon to monitor security events and have a custom configuration file.  

    install is Sysmon64_10.0.4.1.exe -accepteula -n -i myconfig.xml 

    When I run zoom

    the CPU spikes an addition 20% when I am sharing the screen this occurs in mins and always reproducible.

    Zoom creates two processes when sharing the screen cpthost.exe and zoom.exe 

    is there an error in my exclusion?  Is there a way to not have this 20% increase.  

    I have run in debug mode and excluded all the processes and network connections that I think could affect this.

    Is there a way to have sysmon ignore zoom?  This is a causing a performance issue which I do not think has to be. 

    Thank you for your help and my configuration snippet below.

    <RuleGroup name="" groupRelation="or">
    <ProcessCreate onmatch="exclude">
    <!--SECTION: Microsoft Windows-->
    <Image condition="end with">\CptHost.exe</Image> 

                            <Image>C:\Program Files (x86)\Zoom\bin\Zoom.exe</Image>

    </ProcessCreate>
    </RuleGroup>

    <RuleGroup name="" groupRelation="or">
    <NetworkConnect onmatch="exclude">

                    <Image name="UsermodeZoom" condition="end with">\zoom.exe</Image> 

                    <Image name="UsermodeZoom" condition="end with">\cpthost.exe</Image>

            

    </NetworkConnect>
    </RuleGroup>

    <RuleGroup name="" groupRelation="or">
    <CreateRemoteThread onmatch="exclude">

                    <SourceImage condition="is">\zoom.exe</SourceImage>  

                     <SourceImage condition="is">\cpthost.exe</SourceImage>

    </CreateRemoteThread>
    </RuleGroup>

     

         


    Wednesday, December 4, 2019 6:03 PM

All replies

  • I would try this way:

    <RuleGroup name="" groupRelation="or">
    <ProcessCreate onmatch="exclude">
    <!--SECTION: Microsoft Windows-->
    <Image condition="is">C:\Program Files (x86)\Zoom\bin\Zoom.exe</Image>
    </ProcessCreate>
    </RuleGroup>

    <RuleGroup name="" groupRelation="or">
    <NetworkConnect onmatch="exclude">
    <Image name="UsermodeZoom" condition="image">zoom.exe</Image> 
    <Image name="UsermodeZoom" condition="image">cpthost.exe</Image>
    </NetworkConnect>
    </RuleGroup>

    <RuleGroup name="" groupRelation="or">
    <CreateRemoteThread onmatch="exclude">
    <SourceImage condition="is">C:\Program Files (x86)\Zoom\bin\zoom.exe</SourceImage>  
            <SourceImage condition="is"><path>\cpthost.exe</SourceImage>
    </CreateRemoteThread>
    </RuleGroup>

    Please, fill the path to CPTHOST here above as I don't know what executable is that..

    Thanks
    -mario

    Thursday, December 5, 2019 3:54 PM
  • I am going to try this and will let you know the result.

    Thank you!

    Monday, December 9, 2019 9:22 PM
  • The changes did not help the CPU % with zoom and sysmon.  

    They are excluded but still appears to be causing an issue.

    Tuesday, December 10, 2019 8:04 PM
  • Hello

    Could you send your full config file to me at syssite@microsoft.com and I will take a look for you.

    MarkC(MSFT)

    Thursday, December 12, 2019 11:31 AM