Sysmon and Events Monitor Update
The Sysmon Installer component improved its ability to detect system crashes.
The Sysmon Installer component manages the Sysmon service installation and monitors for system crashes in order to uninstall the Sysmon service if a crash occurs. It uninstalls the Sysmon service to protect the asset from recurring system crashes. However, this has led to the Sysmon Installer to uninstall Sysmon unnecessarily, even if Sysmon did not cause the crash.
Now, version 1.10 of the Sysmon Installer enables Sysmon to continue to run and will not uninstall Sysmon if it fails to read the crash dump due to a system shutdown. In all other scenarios, the Sysmon Installer will uninstall Sysmon as a protective measure to ensure the safety of the endpoint.