cdm and processes probe fail to run on new Windows robot install unable to open process
search cancel

cdm and processes probe fail to run on new Windows robot install unable to open process

book

Article ID: 128581

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

We have recently performed an automated deployment of a Windows robot to a Windows 2016 server. We also deployed standard Windows monitoring probes -- cdm, processes, ntservices, and ntevl. The cdm and processes probes are failing to run, throwing this alert: Max. restarts reached for probe 'cdm' (command = cdm.exe) When we open the UIM probe configuration, the graphs that are normally visible for CPU/memory show no data.  We have tried deleting the probes and redistributing them (tried different, older versions) and we get the same results.

Environment

  • UIM 8.5.1
  • cdm v6.34
  • processes v4.63
  • Windows 2016

Cause

  • Carbon Black [antivirus (NGAV) and endpoint detection and response (EDR) capabilities] - filtering/scanning/blocking of Nimsoft programs.

Resolution

- cdm and processes probe would not remain up and running 

- ntevl and ntservices run without issue. 

- cdm 6.34 and processes probe 4.63 on Windows 2016 gain port, but pid changes due to restarts then reach max restarts. Both probes are supported on Windows 2016. 

- OS: Windows 2016 64-bit SP0 Build 14393 

- Robot 7.91 or higher supports Windows 2016 

- customer running hub and robot v7.93 

processes probe shows "Unable to read instance from file" 

Mar 4 14:44:55:026 processes: Unable to open process 624 
Mar 4 14:44:55:026 processes: Finding information about process no 8 pid=640... 
Mar 4 14:45:10:760 processes: Unable to read Instance from file

- controller shows-> Controller: text_file_get: Unable to open probes/system/cdm/cdm.data for read 

- Customer did not currently have access to the robot via RDP so we examined the ntevl Application log via the Status Tab window. 

- We noticed the message: 

Information: The application "C:\Program Files\Nimsoft\probes\system\cdm\cdm.exe" attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory) by calling the function "NtReadVirtualMemory".The operation was blocked...

***The Source/Publisher for the event was CbDefense which is Carbon Black (antivirus (NGAV) and endpoint detection and response (EDR) capabilities)*** 

Customer will discuss this with their internal security team and request a full exclusion for all Nimsoft programs.

Powered by Wolken Software