We have recently performed an automated deployment of a Windows robot to a Windows 2016 server. We also deployed standard Windows monitoring probes -- cdm, processes, ntservices, and ntevl. The cdm and processes probes are failing to run, throwing this alert: Max. restarts reached for probe 'cdm' (command = cdm.exe) When we open the UIM probe configuration, the graphs that are normally visible for CPU/memory show no data. We have tried deleting the probes and redistributing them (tried different, older versions) and we get the same results.
- Carbon Black [antivirus (NGAV) and endpoint detection and response (EDR) capabilities] - filtering/scanning/blocking of Nimsoft programs.
- UIM 8.5.1
- cdm v6.34
- processes v4.63
- cdm and processes probe would not remain up and running
- ntevl and ntservices run without issue.
- cdm 6.34 and processes probe 4.63 on Windows 2016 gain port, but pid changes due to restarts then reach max restarts. Both probes are supported on Windows 2016.
- OS: Windows 2016 64-bit SP0 Build 14393
- Robot 7.91 or higher supports Windows 2016
- customer running hub and robot v7.93
processes probe shows "Unable to read instance from file"
Mar 4 14:44:55:026 processes: Unable to open process 624
Mar 4 14:44:55:026 processes: Finding information about process no 8 pid=640...
Mar 4 14:45:10:760 processes: Unable to read Instance from file
- controller shows-> Controller: text_file_get: Unable to open probes/system/cdm/cdm.data for read
- Customer did not currently have access to the robot via RDP so we examined the ntevl Application log via the Status Tab window.
- We noticed the message:
Information: The application "C:\Program Files\Nimsoft\probes\system\cdm\cdm.exe" attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory) by calling the function "NtReadVirtualMemory".The operation was blocked and the ap...
***The Source/Publisher for the event was CbDefense which is Carbon Black (antivirus (NGAV) and endpoint detection and response (EDR) capabilities)***
Customer will confer with their internal security team and request a full exclusion for all Nimsoft programs.