Forum Discussion
Azure ATP sensor update and communication error
Hello,
I have noticed some errors on our ATP Health Center.
The sensors installed on two DC randomly stopped communicating.
After some time the health alert is automatically closed.
Concurrently with this errors I noticed on the sensor logs this entries:
Microsoft.Tri.Sensor.Updater.log
2020-01-31 02:41:55.5375 Warn ResourceManager RestrictCpuAsync process doesn't exist [Process=Microsoft.Tri.Sensor]
Microsoft.Tri.Sensor.log
2020-01-31 02:41:34.4173 Error FrameReader`1 CaptureFrames exception, exiting
Microsoft.Tri.Sensor.FrameReaderException: Failed reading frame [resultCode=-1 message=read error: PacketReceivePacket failed]
at bool Microsoft.Tri.Sensor.FrameReader<TCaptureDevice>.TryReadFrame(out DateTime time, out BufferSlice bufferSlice)
at bool Microsoft.Tri.Sensor.NetworkListener.ParseFrame(FrameReader frameReader)
at void Microsoft.Tri.Sensor.NetworkListener.CaptureFrames(LiveFrameReader[] liveFrameReaders)
The event ID 7031 is written on the System Event Log:
The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
The sensor version is now (Jan, 31th) 2.106.7618 and is marked as up to date but the version 2.107 is our from the Jan 26th.
Does anyone have any suggestion?
Thanks.
Mike
Michele D'Angelantonio 2.107 will be deployed in the coming days.
So just so I understand it better - it's not always crashing, but from time to time it crashes, and when it does, it's with this error?
How many total failures since first installed?
I would advise to open a support ticket for this.
Since we haven't seen it before, we will need to collect more data to analyze.
Also, another thing you can try , is that if you currently work with the default winpcap driver, you can replace it with npcap and see if it resolves the issue.
See this for instructions:
you can follow it even of not using nic teaming.
Just make sure to use version
https://nmap.org/npcap/dist/npcap-0.9984.exeAs we currently have compatibility issues with the newer version which we haven't fixed yet.
- EliOfek
Microsoft
Did this sensor ever worked, or did it stopped working at some point?
is the message "CaptureFrames exception, exiting" logged after every start crash ?
Di dyou recently installed any product that is using winpcap or npcap on the same machine?
EliOfek thanks for your attention.
The sensor worked on all DCs for some months. I have the first error on january (sensors installed on june).
Nothing is changed on the DCs, the sowtware installed are:
for OfficeSscan we did not use the firewall. So I don't think there is something using npcap or winpcap.
the message "CaptureFrames exception, exiting" is logged on every crash (on my log I have only the last two) but not at the exact time.
thanks again
Mike
- EliOfek
Michele D'Angelantonio was there any recent change to the network stack?
nics removed/added ? drivers changed?
is this a VM or a physical machine?
