In one of my customers Azure ATP dashboard this health error has emerged:
On the domain controller in question, the Azure ATP Sensor (aatpsensor) service was in a starting loop and event 7031 was flooding the System eventlog.
On the domain controller in question, the Azure ATP Sensor (aatpsensor) service was in a starting loop and event 7031 was flooding the System eventlog.
Having a look at the Microsoft.Tri.Sensor-Errors.log file (in %programfiles%\Azure Advanced Threat Protection Sensor\<version>\Logs\), the problem is indicated:
Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.
WinPcap... as the one from Wireshark?? Indeed.
Wireshark is installed on the domain controller with the sensor problem, it is not needed anymore, so I uninstalled all Wireshark components and the Azure ATP Sensor and reinstalled the Azure ATP sensor.
Now the sensor works again.
There is an issue with running Wireshark on the domain controller where Azure ATP Sensor is installed, as the WinPcap component is used by both applications.
