cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki PC Agent log noise

New here

Meraki PC Agent log noise

Generally I like the Meraki MDM but the Windows agent needs to be reworked ASAP.

 

It's constant invoking of Cscript for information gathering is the stupidest thing I have ever seen. It is constantly running in the background, creating random .tmp files in the Windows Temp folder. This creates some huge problems with both our endpoint protection and Sysmon logging.

 

First, every time it creates another random script in the temp directory, it triggers our endpoint protection HIPS which constantly evaluates behavior and trust of processes. This creates tons of events in the HIPS log. Due to random naming of the scripts It's very difficult to exclude from monitoring.

 

Secondly, it also creates tons of ProcessCreate events in Sysmon log, and again I have yet to find a way to properly eliminate all that useless noise it creates. I have tried all kinds of filtering rules but Sysmon still logs all that cscript use. I could probably exclude cscript entirely but that would be wrong and create a big hole in security logging.

 

And thirdly, it's use of Cscript is problematic in itself. Nothing should be using Cscript these days. Actually we had Cscript completely disabled but had to make an exception for Meraki Agent.

1 REPLY 1
Highlighted
Kind of a big deal

Re: Meraki PC Agent log noise

>the Windows agent needs to be reworked ASAP.

 

100% agree.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels