Sysmon v7.01 Application Crashes RRS feed

  • Question

  • Recently started upgrading sysmon from v3 to v7 across the environment and began seeing Application Crash errors that indicate that sysmon.exe died. Confirmed by checking directly on the system. This is happening on about 1% of hosts and usually after working without any issues for anywhere from several hours to days or weeks. Faulting module is almost always ntdll.dll and I am seeing this across Win7/Win10/Server2012. There are obviously many differences between v3 and v7 and I took the opportunity to create a very detailed config for this new deployment, so unsure of how to identify the cause of crashes. Any suggestions?

    Edit: Forgot to add that the Exception Code is either 0xC0000005 -STATUS_ACCESS_VIOLATION or 0xC0000374 -STATUS_HEAP_CORRUPTION. Seen a few 0xc000070a but to a lesser degree....
    Tuesday, April 24, 2018 11:14 AM