|Applies To||RSA Product Set: RSA NetWitness Endpoint|
RSA Product/Service Type: RSA NetWitness Endpoint
RSA Version/Condition: 4.0.x, 4.1.x, 4.2.x, 4.3.x
|Issue||When a hardware error such as malfunctioning hardware, faulty memory, a badly written device driver, or hardware/software running beyond specified limits occurs on a Windows system, the system enters an unstable state known as a Blue Screen of Death or BSOD.|
The purpose of this article is to explain the correct process of how to handle a BSOD when it is suspected that the NetWitness Endpoint agent is believed to be either the cause or victim in a BSOD crash.
|Tasks||1. Record the stop code|
2. Reboot the system
3. Verify the agent version and upgrade agent if possible
4. Collect the event logs from windows
5. Collect the crash dump
6. Open a new case with RSA support for root cause of the BSOD
BSOD's occur as a result of different factors and have different causes. The NetWitness Endpoint agent is a security agent that runs as a background process and is essentially invisible to the user. It uses two agent modes, one that runs in user space, and one in kernel space. Either agent could be involved in the cause of the BSOD, but higher likelihood is that it was caused by the kernel mode agent which does most of the work in scanning and gathering tracking data for instance.
The NWE agent does not actually record logs, during normal operations or during a crash, so there is no logging from the agent to aid in analysis. This requires a review by engineering of the events surrounding the agent crash along with the actual processes running at the time, which are dumped into a Windows dump file during a crash and are the most informative to what the cause may be. The agent itself can be the cause, but also can be the victim of another process.
BSOD Resolution Process
|Notes||Additional Information to retrieve.|
1. Brand and version of any Antivirus/Malware detection products installed on the client machine.
2. Installed MS updates.
(step below to get the list)
Open elevated power-shell (locally) on the machine
At command prompt type: get-wmiobject -class win32_quickfixengineering > Updatelist.txt
(the file will be located in same directory where you ran the command)