Sysmon and Events Monitor Update
The Sysmon Installer component now only uninstalls Sysmon if it causes a system crash.
The Sysmon Installer component manages the Sysmon service installation and monitors for system crashes in order to uninstall the Sysmon service if a crash occurs. It uninstalls the Sysmon service to protect the asset from recurring system crashes. However, this has led to the Sysmon Installer to uninstall Sysmon unnecessarily, even if Sysmon did not cause the crash.
Now, version 1.9 of the Sysmon Installer uninstalls Sysmon only if it has caused the system to crash. The Sysmon Installer will analyze the crash dump logs to determine the cause of the system crash. If there are no crash dump logs after a system crash, the Sysmon Installer will uninstall Sysmon as a protective measure to ensure the safety of the endpoint.