We are running Windows 2000 server, with agent version 4.0. The event logs and CSA event logs are logging to events.

what is the exact agent version? are you running the server kit on servers?

we are running version 4.0.1.540

try to run the agents in test mode, ten analyze the logs and csalog.txt file

try to upgrade

As far as upgrading is concerned I don't see any "fixes" that directly relate to why the Time service might be failing. However, the updates DO propose to repair several memory leaks in the Apache Web service and in the Agent. Might me a wise move then to eliminate "other" causes by updating to the current version (736).

4.0.3 UPDATE DETAILS

NEW FEATURES

Version 4.0.3 has the following new features:

- CSA now supports Windows 2003 Server for Windows Agents. Supported platforms

are Standard Edition, Enterprise Edition, and Web Edition. Datacenter Edition

is not supported. (Note that the CSA MC and VMS 2.2 both remain not supported

on all editions of Windows 2003.)

- CSA now supports Windows XP SP2 for Windows Agents.

- CSA now supports Cisco's Network Access Control (NAC) functionality. Please refer

to http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html

for more information.

- CSA now includes the policy "Windows Service Host Security Module", which provides

additional layers of protection in the event of attacks that evade buffer overflow

detection (as described in Phrack62) by targeting a known vulnerability

in the Windows OS. This policy module may be attached to appropriate groups to

improve defenses against certain buffer overflow attacks. Note that it is possible

that this policy may result in some false positives that deny legitimate activities.

In this case, the policy wizard may be used to eliminate such false positives.

RESOLVED ISSUES

Update 4.0.3.736 addresses the following issues:

Defect Description

------ -----------

CSCeg11439 Machines with Sophos Antvirus and the CSA running Windows XP Spk 2

sometimes hangs upon boot time or when logging off and logging in

CSCeg05257 Services.exe takes up 100% of CPU due to NT Event Log

creating a large event that the CSA cannot process

CSCeg14004 Software updates for Solaris agents fail

CSCef50728 CSACenter driver failed to hook the kernel API ZwLoadDriver

on Windows NT Service Pack 6A machines

CSCef59443 Solaris Netshim does not protect all the adapters in a multi-NIC

machine using Zynx cards

CSCef73720 Leventmgr consumes high CPU and "no root dir in path" in the csalog.txt

CSCef73629 Bluescreen referencing csacenter on new W2k, W2k3, WinXP installs

CSCef69730 The Network Shim interferes with Dialup networking (DUN) and WinXP

CSCef73374 csauser.dll not compatible with Sabre View Client Software

CSCef85732 network shim causes a crash when Checkpoint Firewalls switches over

from one to the other (failover, redundant mode) using Zynx NICs

CSCef96160 Secondary DCOM exploit can be launched while query remains unanswered

CSCef39894 Sending SNMP traps fails over time due to unclosed sockets

CSCef76090 Windows 2003 Domain Controller Bluescreen

CSCef81457 Data stream information shown, causing syntax problems with Profiler

and the rules wizard.

CSCeg02824 module in kernel protection

CSCef97127 Additional Winlogon.exe pattern exclusion that resolves issue

of Windows XP service Pack 2 machines not booting up

CSCeg13232 Software updates for Solaris agents on some Checkpoint Firewalls

do not update due to a path issue

CSCeg11609 Netshim blocks VPN connections on machines using some versions of

Cisco VPN Client 4.0.5

CSCeg01956 SMS 2003 Client cannot receive jobs from the SMS server

CSCeg76539 Bluescreen in csacenter on XP spk2

CSCeg11439 XP spk2 hangs with the agent installed during login (leventmgr)

CSCeg67061 TDIShim bluescreen in Unity