Summary:
In 4.4.0.3 Patch the kernel adaptation mappings for the agent version 4.4.0.3 are missing in the NetWitness Endpoint Database. This causes the agents to not receive new and future kernel encoding values from the NetWitness Endpoint Server and results in a driver error (0xe0010014). A fix is being created and will be made available shortly in an upcoming patch. In the meantime the workaround below will resolve this issue.
Affected Products:
Agent version 4.4.0.3 on supported Microsoft Windows agent platform
Impact:
When there are new Windows kernel updates available, the agent will encounter this error and the agent driver will be stopped causing the agent to function partially (user mode capability only). All capability provided by the Windows agent driver will fail to function: behavior and network tracking events, memory dump generation, module blocking, and network containment.
Workaround:
Execute below query on the NetWitness Endpoint Database (Primary and Secondary if it is multi-server environment) to correct the agent kernel adaptation mapping.
update [AgentVersionKernelAdaptMapping] set AgentVersion=4403 where VersionDescription='V4.4.0.3'
For additional documentation, downloads, and more, visit the RSA NetWitness Suite page on RSA Link.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.