000033318 - RSA ECAT blocking fails following reboot

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033318
Applies ToRSA Product Set: ECAT
RSA Product/Service Type: ECAT Agent
RSA Version/Condition: 4.1.0.x, 4.1.1.x
Platform: Windows
IssueRSA ECAT Agents installed on Windows systems are subject to a bug that prevents the agent from blocking modules following a reboot of the endpoint system.
CauseThis is caused by the registry key in \HKLM\SYSTEM\ControlSet001\services\EcatServiceDriver#####\SentinelConfig not being correctly set on reboot, as the call to IOCTL_REFRESH_BLOCKED_LIST is not made prior to loading the driver after reboot. Although this call can be made while the agent is running, it will not block any processes started prior to the call.
ResolutionThe correct resolution to this issue is to upgrade the client agents to ECAT version 4.1.2.x or later so the driver is loaded with blocking enabled.