Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
8
Helpful
3
Replies

CSA causing WMI issues?

tim_graham
Level 1
Level 1

‎05-30-2007 04:31 AM - edited ‎03-10-2019 03:38 AM

We are using Cisco Security Agent 5.1.0.79. We have 491 clients, mostly Win XP.

We have noticed that within 3 days of CSA installation on a PC, WMI quits working. If you try to connect to a PC using wmimgmt.msc, you get the message: "Failed to connect to (PC name) because <Null>: No such interface supported.

If we reset Windows security using the command: "secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose" The problem is fixed, at least temporarily.

About 45-50% of our PCs are affected.

This is a big deal for us because we use SMS for automated patching and inventory of PCs, and SMS relies heavily on WMI.

The only fix seems to be to remove CSA. Putting the host in Test Mode, or turning off security don't seem to make a difference.

Nothing that we see in the MC event log seems to be connected to the problem.

Has anyone else seen this?

Labels:
0 Helpful
3 Replies 3

tsteger1
Level 8
Level 8

‎05-30-2007 09:26 PM

I've seen messages related to wmiprvse.exe because svchost is trying to access it and it was denied. I had to create an exception to allow it.

There are some rule modules specifically for SMS clients and servers, do you have those associated with your groups?

Some questions:

If it takes three days for it to fail, did you leave your test hosts in test mode that long?

Do you have any rules set not to log?

Are the hosts in question being locked down because of a system state?

Tom

0 Helpful

tim_graham
Level 1
Level 1
In response to tsteger1

‎05-31-2007 05:10 AM

Thanks for your response. This issue is puzzling because the problem (WMI becoming non functional) happens even when the host is in Test Mode, or when security is set to off.

We have done some tuning to allow SMS to do inventory, install patches etc... It's mostly working, although our servers outside the DMZ are still having a few issues.

We have checked for rules not logging and haven't found that to be the issue yet.

All hosts are in a normal state when this happens. We have very few hosts that go into rootkit. It's always a false alarm when they do. That's another story...

I'm having some luck with the fix for an old bug. Evidently to fix a buffer overflow exploit, Cisco previously recommended disabling csauser.dll.

That appears to be working on some of my test boxes. Unfortunately, disabling the network shim also works some of the time.

We don't have a real clear answer yet.

Tim

tsteger1
Level 8
Level 8
In response to tim_graham

‎05-31-2007 08:04 AM

Sounds like you've done your work. It could well be a bug or a conflict with something else installed. The fact that only uninstalling CSA fixes it points to that.

I'd open a TAC request.

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card