Article Number
000001643
Applies To
RSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.3.0.4-4.3.0.5, 4.2.0.x, 4.4.0.0, 4.4.0.1
Platform: Windows
Product Name: RSA-0015013
Product Description: ECAT Host Perp License (per host)
Issue
When IPv4 or more likely IPv6 interfaces in Windows operating systems have the flag set for RSC support which is considered an optional setting, the WFP driver hangs causing the service host to hang during a Windows Update, preventing the system from proceeding and mimicking a hung state on the server.
Cause
RSC is affected by a known Windows bug and happens when the base filtering engine interacts with svchost.exe which is expecting the WFP network driver to support RSC and enters a hung state waiting for the service to initialize.
Resolution
There are a few ways to resolve this issue:
- Disable RSC on all interfaces that have it enabled. Enable-NetAdapterRsc, Disable-NetAdapterRsc, Get-NetAdapterAdvancedProperty, and Set-NetAdapterAdvancedProperty can be used to check and remove the RSC flag from a network interface.
- Reboot the servers, since it only hangs following a Windows Update
- Disable the WFP driver
- Upgrade to the most recent version of the Endpoint Agent.