Sysmon 6 and 7 Locking Up Trend Officescan and Entire Server on Server 2008R2

[HanSolo71]

We have been having issues with our Server 2008R2 machines locking up for the last 2 years, after much research and working with Trend it appears that this is an issue caused by sysmon and they refuse to fix it.

Here is there responses.

Hi All,

Good day! so I did ask our Developers if they have a plan to release a hotfix and this is what they said.

"It is SysmonDrv.sys that blocks the IPC operation in Ntrtscan as previous update shows.We will not have plan to release hotfix for this issue.
Actually, customer should contact Microsoft for the further investigation as removing sysmon driver resolve the issue"

Based on the Dump files It is the SysmonDrv.sys that is blocking the IPC operationg in the Ntrtscan (Real time Scan). So it is not actually the Trend Micro OfficeScan that has the problem it is the SysmonDrv.sys that is causing the conflict.

As per the suggestion of the Developers you need to contact the Microsoft for the further investigation since we prove that removing the Sysmon actually fix the issue

[analyze-v]

Could you try adding the following to your config file

<ImageLoad onmatch="exclude">
<Image condition="image">Ntrtscan.exe</Image>
</ImageLoad>