4 Replies Latest reply on Feb 7, 2008 4:02 AM by metalhead

    Issue with RSSensor.exe

      Upon logging into one of our domain controllers, we are prompted with an error that the Rogue Sensor has crashed.

      A quick research of RSSensor.exe (using Process Explorer* by Sysinternals/Microsoft) revealed that it's attaching to C:\windows\system32\packet.dll and C:\windows\system32\WanPacket.dll while engaged.

      Looking at the file properties for C:\windows\system32\packet.dll, I discovered that this DLL is owned by WinPcap ... which was installed as part of the Wireshark sniffer tool.

      Perhaps that is part of the problem. It seems unlikely that two 3rd party companies would use each others DLLs.

      Thoughts / feedback?

      *Process Explorer can be found here:
      http://www.microsoft.com/technet/sysinternals/SystemInformation/ProcessExplorer. mspx
        • 1. RE: Issue with RSSensor.exe
          metalhead
          What is the file version of your rssensor.exe ?
          • 2. RSSensor.exe version
            ePO Rogue System Sensor

            Location:
            C:\Program Files\Network Associates\Rogue System Sensor\RSSensor.exe

            File Version: 1.0.0.0
            Build: 887
            Internal Name: Snowcap Sensor
            Product Version: 1.0.887
            • 3. RSSensor_out.log
              Now that I am in the app's folder, I noticed RSSensor_out.log which contains the following:

               


              02-06-08 16:34:25, [3240] FATAL RSSensor <> - Failed to load the WinPcap.dll library.

              02-06-08 16:39:26, [724] INFO RSSensor <> - ePO Rogue System Sensor 1.0.887
              02-06-08 16:39:26, [3068] FATAL RSSensor <> - Failed to load library: wpcap.dll126
              Failed to load library: wpcap.dll, The specified module could not be found.

              02-06-08 16:39:26, [3068] FATAL RSSensor <> - Failed to load the WinPcap.dll library.

              02-06-08 16:44:28, [1272] INFO RSSensor <> - ePO Rogue System Sensor 1.0.887
              02-06-08 16:44:28, [5648] FATAL RSSensor <> - Failed to load library: wpcap.dll126
              Failed to load library: wpcap.dll, The specified module could not be found.

              02-06-08 16:44:28, [5648] FATAL RSSensor <> - Failed to load the WinPcap.dll library.



              Looks as though I was right on the money with my suggested catalyst.

              Ideas?
              • 4. RE: RSSensor_out.log
                metalhead
                Also you run an old sensor version. There were new sensor versions imported with different patch versions of epo. The problem is that there is no way of directly upgrading a sensor. So you must deinstall all sensors and redeploy them. With a current epo server version you should get a sensor of version 1.0.0.9xx.