A memory leak exists in recent version of the Sysmon utility that could cause a computer to run out of memory and crash if they routinely update its configuration file through a scheduled task or some other manner.
Sysmon is a Microsoft Sysinternals tool that quietly runs in the background collecting system information and logging it to the Windows event logs. Once installed, it will be configured to start automatically as a service and a driver so that it begins collecting information after a reboot.
Among those who use the program, it is common to use premade configuration files that are loaded into the program when it is installed. After installation, you can then make changes to the config and load them into the program by issuing the following command:
sysmon -c [configuration_file]
To aid those who wish to get started with Sysmon, other administrators, experts, and researchers have created configuration files that others can use or to base their own off of. These can then be loaded into Sysmon to monitor various activity and information on the computer.
For example, SwiftOnSecurity created a Sysmon configuration file and shared it on GitHub that will monitor for and log intrusion events and malicious activity to the Windows event log. A security researched name IonStorm forked this configuration file to create a Threat Intelligence SIEM fork that is constantly updated on user’s computers through a scheduled task.
In a recent tweet, Ionstorm stated that users of Sysmon 8.0.0, and possibly 8.0.2, should upgrade to the latest 8.0.4 version in order to resolve a memory leak issue.
Heads up admins if you still run sysmon 8.0.0 and you run a scheduled task to update the sysmon config each reload will use approximately 15mb of ram, after 30 days it will max out memory on your servers if they dont reboot. Memory is locked in non-paged pool. 8.0.4 resolves
— ɯɹoʇsuoı (@ionstorm) January 23, 2019
The researcher stated that users who routinely update the configuration will trigger a memory leak that could cause a computer to run out of memory and eventually crash.
“We found the memory leak with poolmon, we have scripts that update the config hourly and pull a xml from github,” Ionstorm told BleepingComputer. “Each reload spikes the non-paged pool 15mb, and we had that run hourly. On servers for 30 days they were all crashing.”
Other users also had this issue according to a topic in Microsoft’s Sysinternals forum as shown by a user reporting that a bug was not freeing the NonPaged memory after it was used and would continuously increase the memory each time the configuration was reloaded.
“I faced a bug in Sysmon (ver. 7.01 and 7.03) – Sysmon’s driver (SysmonDrv.sys) consumes new area in Nonpaged pool memory every time configuration reloads, but driver does not free old area in Nonpaged pool memory. As a result, We can see memory leak. I found this problem on my VM, which had only 4GB RAM and more than 180 uptime days.”
According to Microsoft Sysinternals developer Mark Cook, he had fixed this bug version 8.0.4, which was released towards the end of December 2018.
If you are using Sysmon and routinely update your configuration file, then you should make to be running the latest version or your computer will eventually run out of memory.