Forum Discussion
Solved
Npcap keeps updating and crashing the Sensors
Since last week, I keep having an issue where Npcap updates to a newer version than 1.0 and then sensors no longer work. I have uninstalled and reinstalled everything, but an autoupdate hits somehow...
- Vendor said "This is part of the port scanner on the latest version that was released last week. We are looking into this now, as it is conflicting with your product." Recommendation is to remove Barracuda RMM device manager, for now. Also, I can confirm that changing the "AdminOnly" regkey did actually fix it, so that is another work around, if someone doesn't want to remove Barracuda RMM device manager.
EliOfek
Microsoft
MicrosoftKeep us updated with findings please.
I suggest to run procmon to trace who triggers the upgrade.
BTW - any chance you have WireShark installed on the machine ?
I suggest to run procmon to trace who triggers the upgrade.
BTW - any chance you have WireShark installed on the machine ?
I do not. They are DCs, so I want to keep them clean of stuff. Problem with procmon is that I don't have a way to trigger whatever is updating it, so I don't know when its going to happen. I am happy to see above in the thread that another person is seeing the same behaviour.
- EliOfekI bet there are some logs that shows when it starts. and you know when you deployed.
How long does it take to happen? minutes? hours? days ?
Putting 1.71 is an interesting test. let's see if its stays this way or you get nmap installed.
But either way, it won't tell us what it triggering this.- Update, since it insists on replacing anything I do with npcap-oem, I am modifying registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters\
AdminOnly from 1 to 0
net stop npcap
net start npcap
restart sensor services
Lets hope it stays now.- I think I might have an answer. It seems this might be Barracuda RMM device manager that is doing this. I went through the timeline, line by line to find this behaviour and its pointing to that service as the origin. I'm now looking into that and will update. That is run by a monitoring service that I don't see, so I wasn't aware of it. Sorry Microsoft!!
So it overwrote the 1.6 that I installed also. I this time I am able to see the install command line that is happening, but not why. Command line is: "npcap-oem.exe" /S /admin_only /require_version
The "admin_only" part is what is breaking things. Because its running npcap-oem.exe, this again indicates that its comming from Microsoft, because the OEM version is not something just downloadable.- Since whatever it is just downgraded both servers to npcap 1.6 and installed nmap, I'm now going to leave nmap where it is and reinstalled npcap 1.6 without the restrict to administrators option picked. Lets see if it all stays.