NWE 4.3.0.3 (maybe all) memory dump issues with win10 VSM on?

Discussion created by Vladimir Previn on Sep 21, 2017
Latest reply on Sep 21, 2017 by Vladimir Previn

Like • Show 0 Likes0
Comment • 5

hello,

https://df-stream.com/2017/08/memory-acquisition-and-virtual-secure/
we're having issues with NWE 4.3.0.3 and win10 (anniversary) with virtual secure mode + credential guard on (but without device guard code integrity on)
On memory dump from the UI ECAT doesn't bluescreen but mem dump fails with error: '998 - Invalid access to memory location'

(not a customer for NWE anymore) so is it fixed in 4.3.0.4 or 4.3.0.5? if not - expected fix date?

We've tried some of the other tools indicated as fixed in the article and they work.

Outcomes

5 Replies

Renelee Manio Sep 21, 2017 2:53 AM
Hi Vladimir Previn,
There is a known issue seen on lower version of ECAT in pulling full memmory dump from endpoints. This was a behavior seen specially if the version of ECAT Console is not the same as the ECAT agent. You can check NWE 4.3.0.5 Release Notes where you can see fixed issues for full memory issues.

regards,
Renelee "AP" Manio
Like • Show 0 Likes0
Actions
- Vladimir Previn @ Renelee Manio on Sep 21, 2017 3:07 AM
  hello Renelee.
  
  hmm, I've read the release notes and it's a different issue to both of the below.
  the issue is specifically error '998 - Invalid access to memory location' EXTRACTING memory failing not transferring it to the NWE server.
  
  ECATCE-700 If there are older versions of the NetWitness Endpoint agent still in use (for example,
  version 4.1.2), the following error is logged by the ConsoleServer: System.IO.InvalidDataException:
  Found invalid data while retrieving "Process and System
  memory dump"
  ECAT-8423 The Full Memory Dump and Process Memory Dump actions are not creating the raw
  file for a 4.1.2 agent communicating with a 4.3.0.1 server and the following server
  error is thrown: "ERROR: System.IO.InvalidDataException: Found invalid data while
  decoding.
  
  can you go back to engineering with this please. or explicitly confirm the other two ECAT tracking ids cover the issue with
  '998 - Invalid access to memory location' EXTRACTING memory failing
  Like • Show 0 Likes0
  Actions
- Vladimir Previn @ Renelee Manio on Sep 21, 2017 3:08 AM
  ps we're running NWE 4.3.0.3 on the agent and server so there's no version mismatch either
  Like • Show 0 Likes0
  Actions
Renelee Manio Sep 21, 2017 3:30 AM
Hi Vladimir Previn,
Validating issues with engineering team will require a support case to be created. You can wait for other Netwitness Endpoint support members to give their inputs.

regards,
Renelee "AP" Manio
Like • Show 0 Likes0
Actions
- Vladimir Previn @ Renelee Manio on Sep 21, 2017 4:06 AM
  hmm, yes I suppose that's a valid support position.
  well I suppose everyone can keep waiting until it's fixed and use the https://www.comae.io/ via wmic or winrs for now .
  Like • Show 0 Likes0
  Actions

NWE 4.3.0.3 (maybe all) memory dump issues with win10 VSM on?

Outcomes

Related Content

Recommended Content