SOLVED

Npcap keeps updating and crashing the Sensors

Occasional Contributor

Since last week, I keep having an issue where Npcap updates to a newer version than 1.0 and then sensors no longer work.  I have uninstalled and reinstalled everything, but an autoupdate hits somehow a few hours later and crashes everything.  Anyone else seeing this?

15 Replies

@kmcdermott MDI does not auto update npcap, and npcap does not auto upgrade.

If it happened it means you have some policy in effect that auto upgrade it...

Eli, for your reference, I have nothing else installed on this server, other than Windows and the DC services. I install the sensor clean, which installs npcap 1.0. In a few hours it gets upgraded to npcap 1.6 and also installed nmap 7.92. This same thing happens on both of my DCs. I have replicated this over and over. This started last week.
Did you manually install npcap or only the sensor and let the sensor auto deploy npcap ?
I suggest to open a support ticket so an engineer can help you trace the update trigger.
MDI does not deploy nmap, and does not auto update npcap.
It has to be something external.
most likely some forgotten policy in the domain.
I would capture a procmon trace on the machine to see which process kicks in the upgrade process.
As a test, I'm uninstalling the npcap 1.6 and nmap 7.92 that are somehow being pushed to me and installing npcap 1.71 to see if it somehow gets downgraded to 1.6.
npcap 1.0 was installed via the sensor install. Can't be a "forgotten policy" because this problem just started last week and there are no policies that update a third party products! I have a support ticket open.
Keep us updated with findings please.
I suggest to run procmon to trace who triggers the upgrade.

BTW - any chance you have WireShark installed on the machine ?

I do not. They are DCs, so I want to keep them clean of stuff. Problem with procmon is that I don't have a way to trigger whatever is updating it, so I don't know when its going to happen. I am happy to see above in the thread that another person is seeing the same behaviour.

I bet there are some logs that shows when it starts. and you know when you deployed.
How long does it take to happen? minutes? hours? days ?

Putting 1.71 is an interesting test. let's see if its stays this way or you get nmap installed.
But either way, it won't tell us what it triggering this.
Just happened. It downgraded to npcap 1.6 and installed nmap.
Since whatever it is just downgraded both servers to npcap 1.6 and installed nmap, I'm now going to leave nmap where it is and reinstalled npcap 1.6 without the restrict to administrators option picked. Lets see if it all stays.

So it overwrote the 1.6 that I installed also. I this time I am able to see the install command line that is happening, but not why. Command line is: "npcap-oem.exe" /S /admin_only /require_version
The "admin_only" part is what is breaking things. Because its running npcap-oem.exe, this again indicates that its comming from Microsoft, because the OEM version is not something just downloadable.

Update, since it insists on replacing anything I do with npcap-oem, I am modifying registry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters\
AdminOnly from 1 to 0
net stop npcap
net start npcap
restart sensor services

Lets hope it stays now.
I think I might have an answer. It seems this might be Barracuda RMM device manager that is doing this. I went through the timeline, line by line to find this behaviour and its pointing to that service as the origin. I'm now looking into that and will update. That is run by a monitoring service that I don't see, so I wasn't aware of it. Sorry Microsoft!!
Just FYI, MDI sensor will hang if the AdminOnly option is turned on.
So you need to make sure nothing will turn it on.
At least we learned something new!
Is this a custom policy in this device manager or something that might happen to anyone that uses it (built in)?

Maybe the other community member on this thread also has some kind of device manager triggering this ?
best response confirmed by Eli Ofek (Microsoft)
Solution
Vendor said "This is part of the port scanner on the latest version that was released last week. We are looking into this now, as it is conflicting with your product." Recommendation is to remove Barracuda RMM device manager, for now. Also, I can confirm that changing the "AdminOnly" regkey did actually fix it, so that is another work around, if someone doesn't want to remove Barracuda RMM device manager.