Technical Advisory: Old Version of Microsoft Sysinternals "handle.exe" tool causing BSOD

Summary
Tanium Incident Response content utilizes the Microsoft Sysinternals tool named handle.exe to evaluate information on open process handles on Windows machines. Tanium customers have witnessed previous versions of this tool, prior to 4.0, to cause a system crash when used on systems with specific third-party software installed. This crash is not common, but it has been witnessed on multiple versions of Windows and caused by multiple third-party software packages, so Tanium recommends that all customers update to the latest version of handle.exe to avoid any potential future occurrences.

 

Affected Customers
Tanium updated the Incident Response content to include the 4.0 release of handle.exe in September of 2014. Any customers that installed prior to that date and have not updated the Incident Response content since then are potentially affected.

Tanium customers can identify whether they are affected with two methods:

Method #1 - Version Verification of "handle.exe" Process using "Tanium File Version" Sensor

  1. Download the "Tanium File Version" Sensor:
    https://content.tanium.com/files/exchange/VersionCheck/TaniumFileVersion.xml
  2. Log into the Tanium Console.
  3. Go to the Authoring tab and click on the "Import From XML" button.
  4. Import the "Tanium File Version" Sensor that was downloaded in step 1.
  5. Ask the question, "Get Tanium File Version[Tools\IR\handle\handle.exe] from all machines"

    If you see any versions that come back that are older than 4.0.0, you need to update your content.  

    Note that the Tanium File Version Sensor is for Windows only, so non-Windows endpoints will return back [no results].

Method #2 - Package File Hash Verification

  1. Log into the Tanium Console.
  2. Go to the Authoring -> Packages tab and "edit" the "Distribute Incident Reponse Tools" Package.
  3. Verify that the Package contains the latest "Handle.zip" download (see attached screenshot) with a hash of:
    1c38d94c6f4c3471f6d73fa51f3c565786c4203524ccccbf1139aab2c56ecef4

    If you see a different hash, ensure that the Package has the latest from http://download.sysinternals.com/files/Handle.zip.

  4. Go to the Actions -> Scheduled Actions tab and verify that the "Distribute Incident Response Tools" Saved Action is enabled (see attached screenshot).

    If the Saved Action is disabled, enable it to ensure that Tanium Clients will recieve the update. If the Saved Action is targeted to only a subset of the environment, move the Saved Action into an Action Group that encompasses the entire environment to ensure that all Tanium Clients will recieve the update.

 

Solution

Tanium customers using version 6.5 can update their content by going to the Authoring -> Solutions tab in the Tanium Console and update "Tanium Incident Response" to the latest version.  

Tanium customers using version 6.2 will need to manually update the Package File for Handle.zip in the "Distribute Incident Response Tools" Package, or contact their TAM to update.

 

Workaround

To avoid the issue, customers may remove or avoid using the following Sensors:

  • File Handle Details
  • File Handles of Process
  • Mutex Handles of Process
  • Mutexes
  • Semaphores

 

Additional Information
Detailed information on the Handle tool can be found here:
https://technet.microsoft.com/en-us/sysinternals/handle.aspx

Have more questions? Submit a request

Comments

  • Avatar
    Kevin Chu

    [Update on March 8, 2016]

    All versions of handle.exe, including version 4.0, are susceptible to BSODs when used on endpoints using both Symantec Endpoint Encryption version 8.2.x (including 8.2.1 MP16HF2) and Symantec Removable Storage Encryption.  

    There is currently no known solution for Symantec Endpoint Encryption customers affected by this issue.  The only workaround is to remove the Symantec Endpoint Removable Storage Encryption solution.  The full disk encryption client does not need to be removed in order for this workaround to be successful.