[German]A quick tip for admins who use Sysmon from the Sysinternals system monitoring tools. There is a memory leak in version 8.0.0, which has been fixed in the updated version 8.0.4.
Advertising
A quick look at Sysmon
Sysmon is part of the free Sysinternals tools from Microsoft. The tool is very helpful for system analysis. According to the description it provides the following functionality:
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor system activity and log it to the Windows Event Log.
Sysmon provides detailed information about network connections, process creation and file creation time changes. By collecting and analyzing the events generated by Sysmon using Windows Event Collection or SIEM agents, malicious or abnormal activities can be identified to understand how intruders and malware work on the network.
However, Sysmon cannot perform an analysis of the events it generates, nor can it protect itself from attackers or hide itself.
A memory leak in Sysmon 8.0.0/8.0.2
Bleeping Computer reported here about an issuenin Sysmon 8.x. There is a memory leak in Sysmon 8.0.0 utility (and probably in 8.0.2) that could cause a computer to run out of memory. Then the computer crashes when it routinely updates its configuration file with a scheduled task or otherwise. The bug has been discussed within this forum thread since summer 2018. It is only noticed when Sysmon runs for a very long time (30 days) in server environments.
Heads up admins if you still run sysmon 8.0.0 and you run a scheduled task to update the sysmon config each reload will use approximately 15mb of ram, after 30 days it will max out memory on your servers if they dont reboot. Memory is locked in non-paged pool. 8.0.4 resolves
— ɯɹoʇsuoı (@ionstorm) 23. Januar 2019
User @iostorrm points out the memory leak in Sysmon 8.0.0 and possibly 8.0.2 in the tweet above. He recommends upgrading to Sysmon 8.0.4, and Marc Russinovich wrote on December 19, 2018 that the memory leak has been fixed in this release. The new version was released on 27.12.2018 and can be downloaded from the following linked website.
Advertising
Advertising
