This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

NWE 4.3.0.3 (maybe all) memory dump issues with win10 VSM on?

VladimirPrevin
Beginner
Beginner

‎2017-09-21 02:12 AM

hello,

 

https://df-stream.com/2017/08/memory-acquisition-and-virtual-secure/
we're having issues with NWE 4.3.0.3 and win10 (anniversary) with virtual secure mode + credential guard on (but without device guard code integrity on)
On memory dump from the UI ECAT doesn't bluescreen but mem dump fails with error: '998 - Invalid access to memory location'

(not a customer for NWE anymore) so is it fixed in 4.3.0.4 or 4.3.0.5? if not - expected fix date?

 

We've tried some of the other tools indicated as fixed in the article and they work.

Labels:
0 Likes
5 REPLIES 5

ReneleeManio
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2017-09-21 02:53 AM

Hi Vladimir Previn‌,

There is a known issue seen on lower version of ECAT in pulling full memmory dump from endpoints. This was a behavior seen specially if the version of ECAT Console is not the same as the ECAT agent. You can check NWE 4.3.0.5 Release Notes where you can see fixed issues for full memory issues.

 

regards,

Renelee "AP" Manio 

0 Likes

VladimirPrevin
Beginner
Beginner
In response to ReneleeManio

‎2017-09-21 03:07 AM

hello Renelee.

 

hmm, I've read the release notes and it's a different issue to both of the below.

the issue is specifically error  '998 - Invalid access to memory location' EXTRACTING memory failing not transferring it to the NWE server.

 

 

ECATCE-700 If there are older versions of the NetWitness Endpoint agent still in use (for example,
version 4.1.2), the following error is logged by the ConsoleServer: System.IO.InvalidDataException:
Found invalid data while retrieving "Process and System
memory dump"

ECAT-8423 The Full Memory Dump and Process Memory Dump actions are not creating the raw
file for a 4.1.2 agent communicating with a 4.3.0.1 server and the following server
error is thrown: "ERROR: System.IO.InvalidDataException: Found invalid data while
decoding.

 

 

can you go back to engineering with this please. or explicitly confirm the other two ECAT tracking ids cover the issue with

 '998 - Invalid access to memory location' EXTRACTING memory failing

0 Likes

VladimirPrevin
Beginner
Beginner
In response to ReneleeManio

‎2017-09-21 03:08 AM

ps we're running NWE 4.3.0.3 on the agent and server so there's no version mismatch either

0 Likes

ReneleeManio
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2017-09-21 03:30 AM

Hi GLvyZtuDTYJEpKTE1w2ABe8D6srcyabrIfdCvB2L7sM=‌,

Validating issues with engineering team will require a support case to be created. You can wait for other Netwitness Endpoint support members to give their inputs.

 

regards,

Renelee "AP" Manio

0 Likes

VladimirPrevin
Beginner
Beginner
In response to ReneleeManio

‎2017-09-21 04:06 AM

hmm, yes I suppose that's a valid support position.

well I suppose everyone can keep waiting until it's fixed and use the https://www.comae.io/ via wmic or winrs for now .

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.