CSA causing WMI issues?

Unanswered Question
May 30th, 2007
User Badges:

We are using Cisco Security Agent 5.1.0.79. We have 491 clients, mostly Win XP.


We have noticed that within 3 days of CSA installation on a PC, WMI quits working. If you try to connect to a PC using wmimgmt.msc, you get the message: "Failed to connect to (PC name) because <Null>: No such interface supported.


If we reset Windows security using the command: "secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose" The problem is fixed, at least temporarily.


About 45-50% of our PCs are affected.


This is a big deal for us because we use SMS for automated patching and inventory of PCs, and SMS relies heavily on WMI.


The only fix seems to be to remove CSA. Putting the host in Test Mode, or turning off security don't seem to make a difference.


Nothing that we see in the MC event log seems to be connected to the problem.


Has anyone else seen this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
tsteger1 Wed, 05/30/2007 - 21:26
User Badges:
  • Red, 2250 points or more

I've seen messages related to wmiprvse.exe because svchost is trying to access it and it was denied. I had to create an exception to allow it.


There are some rule modules specifically for SMS clients and servers, do you have those associated with your groups?


Some questions:


If it takes three days for it to fail, did you leave your test hosts in test mode that long?


Do you have any rules set not to log?


Are the hosts in question being locked down because of a system state?


Tom

tim_graham Thu, 05/31/2007 - 05:10
User Badges:

Thanks for your response. This issue is puzzling because the problem (WMI becoming non functional) happens even when the host is in Test Mode, or when security is set to off.


We have done some tuning to allow SMS to do inventory, install patches etc... It's mostly working, although our servers outside the DMZ are still having a few issues.


We have checked for rules not logging and haven't found that to be the issue yet.


All hosts are in a normal state when this happens. We have very few hosts that go into rootkit. It's always a false alarm when they do. That's another story...


I'm having some luck with the fix for an old bug. Evidently to fix a buffer overflow exploit, Cisco previously recommended disabling csauser.dll.


That appears to be working on some of my test boxes. Unfortunately, disabling the network shim also works some of the time.


We don't have a real clear answer yet.


Tim

tsteger1 Thu, 05/31/2007 - 08:04
User Badges:
  • Red, 2250 points or more

Sounds like you've done your work. It could well be a bug or a conflict with something else installed. The fact that only uninstalling CSA fixes it points to that.


I'd open a TAC request.


Tom

Actions

This Discussion