Microsoft Advanced Threat Analytics Installation Issues

Today I tried to get the new Microsoft Advanced Threat Analytics up and running within my LAB, since it’s released and also is included in the Enterprise Mobility Suite (EMS), you really should have a look on it.
For the Installation make sure that you can really check the following points:

  • Only one Server is required (you can deploy the ATA Service and the Gateway(s) on different Servers
  • You have to use Windows Server 2012 R2
  • Be sure that you have updated your Server (especially KB2919355)
  • The VM requires two Network Adapters

See also the official TechNet Documentation for all the Installation Requirements.

Unfortunately my Server was not correctly patched, thus the ATA Gateway Installer always crashed, and in the Event Log I could find entries from .Net Runtime with ID 1026 and Application Error with EventID 1000.
The Messages start with an Information from the Windows Error Reporting with Event ID 1001 and content:

Fault bucket , type 0
Event Name: CLR20r3
Response: Not available
Cab Id: 0
Fault bucket , type 0
Event Name: CLR20r3
Response: Not available
Cab Id: 0

The .Net Runtime Error was:

Faulting application name: Microsoft ATA Gateway Setup.exe, version: 1.5.2946.21571, time stamp: 0x561d8cdc
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18007, time stamp: 0x55c4bcfc

After reading the Link provided earlier (here again), I could not find any differences, except the updated Server topic. I briefly checked that, and after updating the Gateway Server, the Installation worked flawlessly.

And after waiting some minutes (this is also pointed out on the TechNet Articles, that the ATA Gateway requires some minutes when it’s start for the first time), I could see my attackers on the net, which was myself 🙂
Microsoft ATA Warning

I would also like to point on this very interesting TechNet Blog from Ken Lince:

Hope this helps

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.