App allowed through elastic endpoint due to message processing error

lusynda · December 24, 2020, 7:19am

Hi all.
I have been trying to use elastic endpoint sec since yesterday and the agent on windows having some problems that i dont really know how to fix.
It constantly say that some app or dll lib is allowed due to message processing failure, along with the error code -4.

Can some one point out how to fix this problems for me Please.
Thanks for your time.

austinsonger · December 24, 2020, 7:24am

Is there any log output you can post?

lusynda · December 24, 2020, 8:39am

Here it is:

{"@timestamp":"2020-12-24T08:27:24.7297861Z","agent":{"id":"cbe9e22f-abd6-0856-f39f-3608e6d50e49","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"error","origin":{"file":{"line":631,"name":"SyncKernelMessageManager.cpp"}}},"message":"SyncKernelMessageManager.cpp:631 Process ID 7588: [C:\\Windows\\system32\\UIRibbon.dll] is allowed due to message processing failure, error code -4","process":{"pid":8152,"thread":{"id":9784}}}
{"@timestamp":"2020-12-24T08:27:24.811824Z","agent":{"id":"cbe9e22f-abd6-0856-f39f-3608e6d50e49","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"error","origin":{"file":{"line":631,"name":"SyncKernelMessageManager.cpp"}}},"message":"SyncKernelMessageManager.cpp:631 Process ID 7588: [C:\\Windows\\system32\\UIRibbonRes.dll] is allowed due to message processing failure, error code -4","process":{"pid":8152,"thread":{"id":7708}}}
{"@timestamp":"2020-12-24T08:27:24.9668221Z","agent":{"id":"cbe9e22f-abd6-0856-f39f-3608e6d50e49","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"error","origin":{"file":{"line":631,"name":"SyncKernelMessageManager.cpp"}}},"message":"SyncKernelMessageManager.cpp:631 Process ID 7588: [C:\\Windows\\system32\\PhotoMetadataHandler.dll] is allowed due to message processing failure, error code -4","process":{"pid":8152,"thread":{"id":9420}}}

ferullo · December 28, 2020, 2:47pm

This is an erroneous log message we're working to remove. Endpoint is working properly.

austinsonger · December 28, 2020, 9:11pm

I'm glad you answered this. I was wondering. I've been pondering on this and looking through Elastic issues on github to see if I could find something on this and just couldn't find anything.

system · January 25, 2021, 9:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.