RSA NetWitness Endpoint 4.2 Windows Agents can cause an endpoint crash under certain circumstances

Tags: RSA NetWitness Endpoint, Technical Advisories

Advisory Type

Technical

Advisory Content

Dear Valued RSA Customer,

Summary:

RSA has found an issue in the RSA Netwitness Endpoint 4.2 Windows Agent, which can cause certain endpoints to crash. A fix is being created, and will be made available in an upcoming patch.

Affected Products:

RSA Netwitness Endpoint 4.2 Microsoft Windows agents deployed in the “No Monitoring” or “Network Monitoring Only” mode. (Agents deployed in “Full User Monitoring” or “Full User Monitoring – Exclude Network Events” modes will remain unaffected by this condition).

Scenario Details:

When the Global Parameters or Machine Group features are used to disable and re-enable blocking across a group of agents, the later switch causes agents targeted by the re-enable command to crash (BSOD).

Recommendations:

For RSA Netwitness Endpoint 4.2 deployments where this crash has occurred, the solution is to re-install the agent and reboot the machine. As long as the sequence described in the Scenario Detail paragraph does not re-occur, the agents will be stable and no crashes will occur.

For RSA Netwitness Endpoint 4.2 deployments where the Windows Agents are deployed in No Monitoring / Network Monitoring Only mode, please do not toggle the Blocking feature off and then on before an upgrade becomes available.

For RSA Netwitness Endpoint 4.2 server-only deployments (new server, older 4.1.* Windows agents), or deployments in which the new agents are deployed in full monitoring mode, do nothing. These deployments are not affected. Also unaffected are Linux and OS X agents.

For planned upgrades and new deployments, please defer to the upcoming patch, which will remove this risk.

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.