Dec 23, 2021
1619
Problem:
Your production system or network monitoring tools are logging a lot of DNS queries for a decommissioned host.
In System Monitor (Sysmon) logs there are frequent Event Log entries of PPExtensionService.EXE that is querying that dead host computer’ FQDN.
Like in an example screenshot below.
Cause:
The cause of the problem is a PolicyPak Browser Router (PPBR) rule that has an Item-level Targeting (ILT) filter of the decommissioned host computer.
Resolution:
Correct the ILT condition or remove the filter that is in place for that computer.