Blog Post

Sysinternals Blog
1 MIN READ

Process Monitor 2.0 for Linux and Sysmon v15.15

Alex_Mihaiuc's avatar
Alex_Mihaiuc
Icon for Microsoft rankMicrosoft
Jul 23, 2024

Procmon 2.0 for Linux

Process Monitor for Linux, a convenient and efficient way for developers to trace the syscall activity on the system, is now updated to support a broader range of Linux distributions.
 

Sysmon v15.15

This update to Sysmon fixes a hang occurring when memory is constrained, improves FsFilter performance, and fixes two rare crashes related to FileBlockShredding and PipeEvent.
 
Published Jul 23, 2024
Version 1.0

7 Comments

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Sep 26, 2024

    AuSecOps the "255" error is a catch-all for "too serious to be able to silently recover" errors. That 0x40000 report signifies that the system is out of memory - failure to allocate 256 kilobytes. Drop me a private message here with the different occurrences of event 255, I can verify each one individually.

  • AuSecOps's avatar
    AuSecOps
    Copper Contributor
    Sep 26, 2024

    We have been battling with a Sysmon Error #255 for almost a year now, across various recent versions.

     

    Large network, 5000+ hosts, the issue seems to affect about 5% of our fleet occasionally.


    We will see Error 255: Failed to allocate 40000 bytes. Exit process.

     

    After this, logs stop flowing and the system needs to be rebooted. Restarting the process/service without a reboot is impossible. We tried everything to figure out what is causing this error but I am out of ideas. On some occasions we need to delete all the registry artifacts for Sysmon and perform a full un-install/re-install before we can get logs flowing to our SIEM again.

     

    Can Microsoft provide some kind of documentation for the wide array of 255 errors, this '40000 bytes' is just one variant, there are many different 255 errors, some of them are sort of self explanatory but many, like this error make absolutely no sense, nor is there any way to debug what is causing it.

     

    How can we get in contact with someone to help try and debug this issue ? Are there any debug steps we can use ourself that arent documented ?

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Aug 08, 2024

    Ian_B1066 the FileDelete*, FileBlockShredding and FileBlockExecutable rules tend to be the most "expensive". Do you have an opportunity to test without those?

  • Ian_B1066's avatar
    Ian_B1066
    Copper Contributor
    Aug 08, 2024

    Alex_Mihaiuc thank you for your quick reply.

    The problem I'm getting is nearly half a gig of them generated on a clustered file server when moving the file server role to that cluster member. It does rather drown out the logging and I don't see a way to prevent it in the config.

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Aug 08, 2024

    Hey Ian_B1066

     

    Those errors are there to inform you about Sysmon being "blind" (due to system load) to some events happening in the system. There's a good chance that the events were also dropped before Sysmon had the functionality to make these reports.

  • Ian_B1066's avatar
    Ian_B1066
    Copper Contributor
    Aug 08, 2024

    Are the fixes in Sysmon 15.15 likely to address the "Events dropped from driver queue" error 255's I'm seeing with Sysmon 15.14?