AnsweredAssumed Answered

ControlMinder (PIM/PAMCS) ... prevented killing of a process

Question asked by andreas.mericka1.1 on Apr 8, 2016
Latest reply on Jul 7, 2016 by Lluis_Domenech

Hi,

 

we are using CA CM 12.8 on a few hundret Windows Servers (beside others).

 

CA CM prevents the killing of 2 processes (lsass and some CM process)

here an sample log entry from seaudit:

29 Feb 2016 00:00:00 N PROCESS NT AUTHORITY\SYSTEM Kill 601 10 c:\windows\system32\lsass.exe C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe (OS user)

This occurs about every 10 minutes, sometimes more often and of course spams our logs and log collectors.

 

The vendor of BESClient checked their logs and says that those kills are not initiated by their product.

I could proove that the killing stoped when stopping the BESClient, but  would like to give them a hint from where the killing really started (could be some subprocess!?).

Is there something I could do (trace?) to find out the real process initiating the kill and the chain back to the BESClient?

 

Any help is welcome!

Outcomes