Re: [ossec-list] MS Windows Security can prohibit the OSSEC agent

[dan (ddp)]

On Fri, Jan 29, 2021 at 6:39 AM lapin noel  wrote:
>
> I'm afraid there is the same info, but I couldn't find one in short browsing, 
> so I post here.
>
> When MS Windows Security/Defender(MSWS) validates heap integrity, the agent 
> crashes.
> And when MSWS does not validate, the agent runs without an error.
>
> The agent is run as admin.
>
> The MSWS settings are the following.
> In "App & browser control", in "Exploit protection settings", the "System 
> settings" are all set as "On by default".
> Where the "System settings" are: Control flow, Data Execution, Force 
> randomization, Radomize memory, High-entropy, Validate exception, Validate 
> heap.
> In "Program settings", one program is added to customize.
> The only customized program is C:/Program Files (x86)/ossec-agent/win32ui.exe.
> By "Edit", many settings can be selected by square checkboxes.
> Where only one check box is selected - "Validate heap integrity".
> The default system settings are "On" by the "System settings" stated above.
>
> When the slide button is left-side "Off", win32ui.exe runs without an error.
> The normal agent window appears.
>
> When the slide button is right-side "On", win32ui.exe crashes.
> MS Diagnostic Data Viewer reports as follows.
> (---
> win32ui.exe
>
> Description
> Faulting Application Path: C:\Program Files (x86)\ossec-agent\win32ui.exe
> Creation Time: 1/29/2021 5:20:39 PM
> Problem: Stopped working
> Status: Report sent
>
> Problem signature
> Problem Event Name: APPCRASH
> Application Name: win32ui.exe
> Application Version: 0.0.0.0
> Application Timestamp: 5e6e6eec
> Fault Module Name: StackHash_cee3
> Fault Module Version: 10.0.19041.662
> Fault Module Timestamp: 5f641e44
> Exception Code: c374
> Exception Offset: PCH_A5_FROM_ntdll+0x00071BDC
>
> Extra information about the problem
> Bucket ID: e0bfa8051f9ebad1ac54b45abee71e8d (2041454832948551309)
> ---)
>
> Windows 10 Home, version 20H2, build 19042.746
> ossec-agent-win32-3.6.0-12032.exe 1,604,775 bytes
> win32ui.exe 171,709 bytes
>


Hi!
I've seen similar crashes, but don't have a reliable windows machine
to try and debug them (and I don't know how to do that on Windows).
It's just been the gui interface that didn't work for me though, the
agent itself ran if I configured it manually.
Dan

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/482e6e57-5abb-40c8-aa04-acd695c7f30bn%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp58WWcWnHunJqVpWWvzmou7kjK05fQbuwa2m1mD2NOPg%40mail.gmail.com.

[ossec-list] MS Windows Security can prohibit the OSSEC agent

[lapin noel]

I'm afraid there is the same info, but I couldn't find one in short 
browsing, so I post here.

When MS Windows Security/Defender(MSWS) validates heap integrity, the agent 
crashes.
And when MSWS does not validate, the agent runs without an error.

The agent is run as admin.

The MSWS settings are the following.
In "App & browser control", in "Exploit protection settings", the "System 
settings" are all set as "On by default".
Where the "System settings" are: Control flow, Data Execution, Force 
randomization, Radomize memory, High-entropy, Validate exception, Validate 
heap.
In "Program settings", one program is added to customize.
The only customized program is C:/Program Files 
(x86)/ossec-agent/win32ui.exe.
By "Edit", many settings can be selected by square checkboxes.
Where only one check box is selected - "Validate heap integrity".
The default system settings are "On" by the "System settings" stated above.

When the slide button is left-side "Off", win32ui.exe runs without an error.
The normal agent window appears.

When the slide button is right-side "On", win32ui.exe crashes.
MS Diagnostic Data Viewer reports as follows.
(---
win32ui.exe

Description
Faulting Application Path: C:\Program Files (x86)\ossec-agent\win32ui.exe
Creation Time: 1/29/2021 5:20:39 PM
Problem: Stopped working
Status: Report sent

Problem signature
Problem Event Name: APPCRASH
Application Name: win32ui.exe
Application Version: 0.0.0.0
Application Timestamp: 5e6e6eec
Fault Module Name: StackHash_cee3
Fault Module Version: 10.0.19041.662
Fault Module Timestamp: 5f641e44
Exception Code: c374
Exception Offset: PCH_A5_FROM_ntdll+0x00071BDC

Extra information about the problem
Bucket ID: e0bfa8051f9ebad1ac54b45abee71e8d (2041454832948551309)
---)

Windows 10 Home, version 20H2, build 19042.746
ossec-agent-win32-3.6.0-12032.exe 1,604,775 bytes
win32ui.exe 171,709 bytes

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/482e6e57-5abb-40c8-aa04-acd695c7f30bn%40googlegroups.com.