RSA NetWitness Endpoint 4.2 Windows Agents can cause an endpoint crash under certain circumstances

Document created by Kimberley Heath Employee on Sep 29, 2016
Version 1Show Document
  • View in full screen mode

Dear Valued RSA Customer,




RSA has found an issue in the RSA Netwitness Endpoint 4.2 Windows Agent, which can cause certain endpoints to crash. A fix is being created, and will be made available in an upcoming patch.


Affected Products:

RSA Netwitness Endpoint 4.2 Microsoft Windows agents deployed in the “No Monitoring” or “Network Monitoring Only” mode. (Agents deployed in “Full User Monitoring” or “Full User Monitoring – Exclude Network Events” modes will remain unaffected by this condition).


Scenario Details:

When the Global Parameters or Machine Group features are used to disable and re-enable blocking across a group of agents, the later switch causes agents targeted by the re-enable command to crash (BSOD).




  1.       For RSA Netwitness Endpoint 4.2 deployments where this crash has occurred, the solution is to re-install the agent and reboot the machine. As long as the sequence described in the Scenario Detail paragraph does not re-occur, the agents will be stable and no crashes will occur.


  1.       For RSA Netwitness Endpoint 4.2 deployments where the Windows Agents are deployed in No Monitoring / Network Monitoring Only mode, please do not toggle the Blocking feature off and then on before an upgrade becomes available.


  1.       For RSA Netwitness Endpoint 4.2 server-only deployments (new server, older 4.1.* Windows agents), or deployments in which the new agents are deployed in full monitoring mode, do nothing. These deployments are not affected. Also unaffected are Linux and OS X agents.


  1.       For planned upgrades and new deployments, please defer to the upcoming patch, which will remove this risk.


EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.