Sysmon on windows server causing delays to open Office files RRS feed

  • Question

  • Hi,

    We having strange issue with Sysmon. For our SIEM project we loaded Sysmon v11 on bunch of our Windows 2012r2/2016 servers with config file provided by SIEM platform. Immediately it introduced ~45 second delay whenever you open office files (e.g Exel’s xlsx) from workstation (win10) on all file servers. No matter what workstation, physical or virtual server, win2012 or win2016, office 365 or office 2010. It’s persistent even on freshly installed Server 2016 with no additional software installed, so it’s definitely not effect of other software. This happens only when you open file with Office application from network file share, copying file or opening it with other app is fine. Example – open file with excel from mapped drive, Excel starts and logo shows – Downloading: … (0%) for 45 sec.

    In default Sysmon config this problem does not exist. Playing with provided config file we’ve narrowed it down to these 2 sections: FileCreate and FileCreateStreamHash. If we remove these events from config file problem goes away. Include/exclude don’t matter. Tried few other config files like github /SwiftOnSecurity project, same deal.

    Any suggestions would we quite appreciated. Thanks!

    Friday, May 22, 2020 9:00 PM