Forum Discussion
Azure ATP connection closed errors
- Engineering has researched the sampled capture ans managed to reproduce the issue.Sadly, this is not an easy fix, it's a specific traffic/rare traffic on top of SMB1 we were not aware of before and currently cannot parse.We have opened a bug for it.It is planned but in low priority for now as telemetry shows it happens rarely.We will update once we get it resolved so the fix can be verified.
EliOfek- Can I use built in netsh commands to run the trace or will it have to be with netmon 3.4.
Do you want both ends or just from the AATP Sensor?
Microsoftnetmon is preferred. if there is no such option, we can try to work with netsh, but it will take more time.
we need to capture the traffic on the DC.
Also, it's interesting if you can get us a capture while invoking this command against the captured DC:
net group "Domain Admins" /domain
It seems you have some SMB1 traffic there, which is not very common these days, so we want to make sure our parser is not missing anything from this protocol which we don't get a lot any more.
Eli
EliOfek- I have the capture with net mon. Is there anywhere I can securely upload this or share it with you?
- EliOfek
archedmeerkat , The best option is to open a support case and give me the case #.
I will ask the assigned engineer to open a secured workspace for you where we can exchange files,
And also to add me to the case thread so I can help and add PG members as needed.
I've sent the case number over in a private message, but wasn't sure how to add you to the case. I'll see if I can have that done shortly.