cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki PC Agent log noise

Highlighted
New here

Meraki PC Agent log noise

Generally I like the Meraki MDM but the Windows agent needs to be reworked ASAP.

 

It's constant invoking of Cscript for information gathering is the stupidest thing I have ever seen. It is constantly running in the background, creating random .tmp files in the Windows Temp folder. This creates some huge problems with both our endpoint protection and Sysmon logging.

 

First, every time it creates another random script in the temp directory, it triggers our endpoint protection HIPS which constantly evaluates behavior and trust of processes. This creates tons of events in the HIPS log. Due to random naming of the scripts It's very difficult to exclude from monitoring.

 

Secondly, it also creates tons of ProcessCreate events in Sysmon log, and again I have yet to find a way to properly eliminate all that useless noise it creates. I have tried all kinds of filtering rules but Sysmon still logs all that cscript use. I could probably exclude cscript entirely but that would be wrong and create a big hole in security logging.

 

And thirdly, it's use of Cscript is problematic in itself. Nothing should be using Cscript these days. Actually we had Cscript completely disabled but had to make an exception for Meraki Agent.

3 REPLIES 3
Highlighted
Kind of a big deal

Re: Meraki PC Agent log noise

>the Windows agent needs to be reworked ASAP.

 

100% agree.

Highlighted
New here

Re: Meraki PC Agent log noise

I noticed this was posted sometime ago, but are you still having this issue?

I've noticed the same thing and can't seem to find any documentation or support to resolve this issue.

 

Highlighted
New here

Re: Meraki PC Agent log noise

Hi,

 

Yes nothing has changed regarding this. Our endpoint protection (Kaspersky) log are still filling up with the Meraki events garbage. It still runs a CSscript in every short while and creates a tmp file in Windows temp directory. This in turn is obviously flagged by our endpoint solution. As the files are named randomly, I have not found a way to completely exclude them from scanning.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels