Meraki

Community

Meraki PC Agent log noise

MerakiUsr10
New here
‎Oct 13 2019 1:07 AM
‎Oct 13 2019 1:07 AM

Meraki PC Agent log noise

Generally I like the Meraki MDM but the Windows agent needs to be reworked ASAP.

 

It's constant invoking of Cscript for information gathering is the stupidest thing I have ever seen. It is constantly running in the background, creating random .tmp files in the Windows Temp folder. This creates some huge problems with both our endpoint protection and Sysmon logging.

 

First, every time it creates another random script in the temp directory, it triggers our endpoint protection HIPS which constantly evaluates behavior and trust of processes. This creates tons of events in the HIPS log. Due to random naming of the scripts It's very difficult to exclude from monitoring.

 

Secondly, it also creates tons of ProcessCreate events in Sysmon log, and again I have yet to find a way to properly eliminate all that useless noise it creates. I have tried all kinds of filtering rules but Sysmon still logs all that cscript use. I could probably exclude cscript entirely but that would be wrong and create a big hole in security logging.

 

And thirdly, it's use of Cscript is problematic in itself. Nothing should be using Cscript these days. Actually we had Cscript completely disabled but had to make an exception for Meraki Agent.

Labels:
0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 13 2019 1:09 AM
‎Oct 13 2019 1:09 AM

>the Windows agent needs to be reworked ASAP.

 

100% agree.

0 Kudos
Meraki27
New here
‎Jun 18 2020 4:16 PM
‎Jun 18 2020 4:16 PM

I noticed this was posted sometime ago, but are you still having this issue?

I've noticed the same thing and can't seem to find any documentation or support to resolve this issue.

 

0 Kudos
In response to Meraki27
MerakiUsr10
New here
‎Jun 18 2020 9:14 PM
‎Jun 18 2020 9:14 PM

Hi,

 

Yes nothing has changed regarding this. Our endpoint protection (Kaspersky) log are still filling up with the Meraki events garbage. It still runs a CSscript in every short while and creates a tmp file in Windows temp directory. This in turn is obviously flagged by our endpoint solution. As the files are named randomly, I have not found a way to completely exclude them from scanning.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.