Technical Advisory for RSA NetWitness Endpoint 4.x agents running on Windows 10 version 1903

Document created by RSA Product Team Employee on Jul 17, 2019Last modified by RSA Product Team Employee on Jul 17, 2019
Version 2Show Document
  • View in full screen mode


Due to recent changes in the Windows 10 version 1903 (build 18362) kernel, RSA NetWitness Endpoint 4.x (aka ECAT) agents might have received a dynamic kernel update from RSA which could, on occasion, result in a system stop (i.e. BSOD) error.  All Customers should follow the steps below to mitigate this issue.


Affected Products:
RSA NetWitness Endpoint 4.x with agents running on Windows 10 version 1903.



RSA NetWitness Endpoint agent systems running Windows 10 build 1903 might encounter a system stop (i.e. BSOD) error and reboot. RSA NetWitness Endpoint agents running other versions of Windows 10 are unaffected.



To update deployed RSA NetWitness Endpoint servers and agents, first perform the following steps on each RSA NetWitness Endpoint server:

    1. Stop the RSA ECAT Server service.
    2. In SQL Management Studio, run the following command for each ECAT$PRIMARY and ECAT$SECONDARY database:

      delete KernelData where Description like '10.0.18362.%'

    3. Run the following SQL command and confirm that the old kernel encodings were deleted:

      select * from KernelData where Description like '10.0.18362.%'

      There should be 0 active encodings at this time.
    4. Restart the RSA ECAT Server service. Updated content should be downloaded automatically by RSA NetWitness Endpoint servers from RSA Live within 30 minutes. In environments without direct access to RSA Live, use the ConsoleServerSync utility to update kernel data.
    5. Confirm the content update. Run the following command:

      select * from KernelData where Description like '10.0.18362.%'


Once each RSA NetWitness Endpoint server has been updated, determine if you have any remaining agents running on Windows 10 version 1903 (build 18362).


  1. In the RSA NetWitness Endpoint UI, click the Machines view.
  2. Using the Column Chooser, add a column called OS Build Number, and look for agents with build 18362. 

The agents on these systems must either be upgraded or re-installed. If you are re-installing the agents, use the Force Overwrite option in the RSA NetWitness Endpoint Packager.

For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. For additional details, refer to the Product Version Life Cycle.