Forum Discussion
Solved
Npcap keeps updating and crashing the Sensors
Since last week, I keep having an issue where Npcap updates to a newer version than 1.0 and then sensors no longer work. I have uninstalled and reinstalled everything, but an autoupdate hits somehow...
- Vendor said "This is part of the port scanner on the latest version that was released last week. We are looking into this now, as it is conflicting with your product." Recommendation is to remove Barracuda RMM device manager, for now. Also, I can confirm that changing the "AdminOnly" regkey did actually fix it, so that is another work around, if someone doesn't want to remove Barracuda RMM device manager.
I do not. They are DCs, so I want to keep them clean of stuff. Problem with procmon is that I don't have a way to trigger whatever is updating it, so I don't know when its going to happen. I am happy to see above in the thread that another person is seeing the same behaviour.
EliOfek
Microsoft
MicrosoftI bet there are some logs that shows when it starts. and you know when you deployed.
How long does it take to happen? minutes? hours? days ?
Putting 1.71 is an interesting test. let's see if its stays this way or you get nmap installed.
But either way, it won't tell us what it triggering this.
How long does it take to happen? minutes? hours? days ?
Putting 1.71 is an interesting test. let's see if its stays this way or you get nmap installed.
But either way, it won't tell us what it triggering this.
- Vendor said "This is part of the port scanner on the latest version that was released last week. We are looking into this now, as it is conflicting with your product." Recommendation is to remove Barracuda RMM device manager, for now. Also, I can confirm that changing the "AdminOnly" regkey did actually fix it, so that is another work around, if someone doesn't want to remove Barracuda RMM device manager.
- EliOfekJust FYI, MDI sensor will hang if the AdminOnly option is turned on.
So you need to make sure nothing will turn it on.
At least we learned something new!
Is this a custom policy in this device manager or something that might happen to anyone that uses it (built in)?
Maybe the other community member on this thread also has some kind of device manager triggering this ? - I think I might have an answer. It seems this might be Barracuda RMM device manager that is doing this. I went through the timeline, line by line to find this behaviour and its pointing to that service as the origin. I'm now looking into that and will update. That is run by a monitoring service that I don't see, so I wasn't aware of it. Sorry Microsoft!!
- Update, since it insists on replacing anything I do with npcap-oem, I am modifying registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters\
AdminOnly from 1 to 0
net stop npcap
net start npcap
restart sensor services
Lets hope it stays now. So it overwrote the 1.6 that I installed also. I this time I am able to see the install command line that is happening, but not why. Command line is: "npcap-oem.exe" /S /admin_only /require_version
The "admin_only" part is what is breaking things. Because its running npcap-oem.exe, this again indicates that its comming from Microsoft, because the OEM version is not something just downloadable.- Since whatever it is just downgraded both servers to npcap 1.6 and installed nmap, I'm now going to leave nmap where it is and reinstalled npcap 1.6 without the restrict to administrators option picked. Lets see if it all stays.
- Just happened. It downgraded to npcap 1.6 and installed nmap.