000035835 - BSOD review indicates a crash caused by the Low Level Reader (LLR) in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Dec 14, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035835
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.3.x, 4.2.x,,
Platform: Windows
O/S Version: Windows
Product Name: RSA-0015013
Product Description: ECAT Host Perp License (per host)
IssueA crash dump occurs on the target system implicating the Netwitness Endpoint agent as the culprit. Following the engineering review of the crash dump, the low-level reader is found to be the cause. The short explanation of the issue is given below:
The crash is caused by msdsm.sys while executing a kma low-level reader call initiated by the user mode agent.
CauseThis is caused by the code in the low-level reader, presumably during a scan, when installed on shared storage as opposed to local storage for the endpoint machine. The reason for this is that the lowlevelreader (LLR) is intended only for use on local storage to access the file system on a low level. The intent was to allow for scanning the local file system to detect rootkits and bootkits that may be using hooking to hide their presence on disk in an NTFS file system. The downside to disabling the LLR is the loss of visibility during Full Scan's when attempting to root out these potential files from the file system. There are other methods the agent has to detect the presence of this malware, such as when they are actively loading into memory, hooking, or doing other actions that allow for the detection of rootkits.
Resolution4.4.0.2 and later versions are slated to disable the Low Level Reader by default. These versions will disable automatically, and only expert mode will allow the use of the LLR deliberately.
NOTE: Requests for enhancing the LLR for use on shared media have already been submitted.
The current workaround on existing versions of Netwitness Endpoint is to disable the LLR in the expert mode of the agent packager:
1. From the command line in the ECAT server folder, run the following command:
>Ecat-Packager.exe -expert
First Disable Low Level Reader image
NOTE: Make sure Windows is selected as the package type under the General tab.

2. From the screenshot, its seen that the Disable Low Level Reader tab is not checked. Check the radio box to disable the low-level reader.
3. Test the connection and add any changes, such as different agent monitoring modes that may be desired, and once a successful connection is confirmed, click Generate Agent.
4. Deploy the agent to the machine running on shared storage.