Version

Argent Advanced Technology 5.1A-2101-A and earlier

Date

Friday, 15 January 2021

Summary

It is confirmed that file audit events are not saved for Windows 2016 server if Argent AT engine does not have access to registry of target server.

Argent for Compliance uses sequence of file audit events to compose a single operation. For example, a file deletion generates event 4656, 4663, 4660 and 4658.

They are correlated by object handle ID and process ID.

Windows changed file audit event format of event 4656 (A handle to an object was requested) in Windows 2008 R2. The process ID is user data string#14 in Windows 2008 and earlier, and string#15 in Windows 2008 R2.

As results, it is critical to pass in the correct Windows version information for file audit events.

Argent AT determines Windows version first by the model string in CMDB-X properties, then dynamically querying the registry of target machine.

It is a coding error that Argent AT could not derive the correct Windows version when model string is Windows 2016. If Argent AT engine could not access registry of target machine, Windows version is left undetermined.

As results, Argent AT engine uses user data string#14 instead of string#15 for process ID, which breaks the correlation among file audit events, and no such file audit events could be found and archived.

The issue has been addressed in Argent AT 5.1A-2101-B or later

Technical Background

It is caused by coding error.

Resolution

Upgrade to Argent AT 5.1A-2101-B or later.

For customer who cannot upgrade immediately, he can take one of following approaches:

1. Open registry of target machine to Argent AT engine. It could be addressed by starting Remote Registry service at target machine.

2. Change model string of target machine in CMDB-X from Windows 2016 to Windows 2012. Other than cosmetic feature, the change won’t affect normal function of Argent AT services.