cdm and processes probe failing to run on new Windows robot installation

book

Article ID: 128581

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

We have recently performed an automated deployment of a Windows robot to a Windows 2016 server. We also deployed standard Windows monitoring probes -- cdm, processes, ntservices, and ntevl. The cdm and processes probes are failing to run, throwing this alert: Max. restarts reached for probe 'cdm' (command = cdm.exe) When we open the UIM probe configuration, the graphs that are normally visible for CPU/memory show no data.  We have tried deleting the probes and redistributing them (tried different, older versions) and we get the same results.

Cause

- Carbon Black [antivirus (NGAV) and endpoint detection and response (EDR) capabilities] - filtering/scanning/blocking of Nimsoft programs.

Environment

- UIM 8.5.1
- cdm v6.34
- processes v4.63

Resolution

- cdm and processes probe would not remain up and running 

- ntevl and ntservices run without issue. 

- cdm 6.34 and processes probe 4.63 on Windows 2016 gain port, but pid changes due to restarts then reach max restarts. Both probes are supported on Windows 2016. 

- OS: Windows 2016 64-bit SP0 Build 14393 

- Robot 7.91 or higher supports Windows 2016 

- customer running hub and robot v7.93 

processes probe shows "Unable to read instance from file" 
Mar 4 14:44:55:026 processes: Unable to open process 624 
Mar 4 14:44:55:026 processes: Finding information about process no 8 pid=640... 
Mar 4 14:45:10:760 processes: Unable to read Instance from file 

- controller shows-> Controller: text_file_get: Unable to open probes/system/cdm/cdm.data for read 

- Customer did not currently have access to the robot via RDP so we examined the ntevl Application log via the Status Tab window. 

- We noticed the message: 

Information: The application "C:\Program Files\Nimsoft\probes\system\cdm\cdm.exe" attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory) by calling the function "NtReadVirtualMemory".The operation was blocked and the ap... 

***The Source/Publisher for the event was CbDefense which is Carbon Black (antivirus (NGAV) and endpoint detection and response (EDR) capabilities)*** 

Customer will confer with their internal security team and request a full exclusion for all Nimsoft programs.