Some of the most common solutions to Agent crashes are:
- Updating to the latest version and / or maintenance pack of DLP. Many times the crash has already been reported and fixed in a later release. This means that the latest maintenance pack DLP agent should be tested. If possible also test the latest hotfix agent for that maintenance pack agent.
For example. If a 15.8 agent is crashing then the 15.8 MP3 (current latest MP agent) should be tested. If possible the 15.8.00300.01040 (latest HF agent) would be tested.
- Ensure that the proper antivirus exceptions have been added to the system(s). See TECH220235.
If the above solutions do not address the issue or are not viable at this time then it is time to collect data then contact support.
Try to answer the following questions:
- Can the crash be duplicated? Provide information about how the crash is duplicated. Is it caused by a process like copy / paste or is it a matter of just waiting x amount of time?
- If the agent crash is caused by a process then is it consistent? I.e. does it always happen or only happen a percentage of the time?
- Does the crash happen across multiple machines or OS platforms?
- Is this happening in production or test environments?
- What percentage of machines are affected?
Next the data needs to be collected. Follow these steps to help gather the needed information:
If the crash can be duplicated then follow these steps:
- Turn up the logging via TECH248581
- Duplicate the crash
- Proceed to the following steps
In all scenarios do the following:
- Collect the agent logs as described in TECH222092
- Collect the relevant system logs from the client machine
Windows: System and Application Event Logs
Mac OSX: ~/Library/Logs/DiagnosticReports/
- On the client machine, download and run SymDiag from TECH170735. Collect system information and attach it to the case.
- Collect crash dumps from the agent. Default locations are
Windows: “C:\Program Files\Manufacturer\Endpoint Agent\MemDump”
Mac OSX: /Library/Manufacturer/Endpoint Agent/MemDumps
Submit the collected information and data to support for analysis.
Third Party Application Crash
When a third party application is crashing and it is believed to be caused by the DLP agent then collect a crash dump from that application. This can be done by using procdump (with -ma and -e switch) or by using Windows Error Reporting.
Note that procdump should not be used with the dlpagent as the dlpagent will generate it's own crash dumps.
procdump -ma -e outlook.exe
This will monitor outlook.exe for an unhandled exception then generate a crash dump when it occurs. Outlook should be running before running the command.
Optional Advanced Troubleshooting
- Enable / Disable different agent channels (Example: uncheck the local disk or Clipboard) in the agent configuration to determine which could be causing the crash. Disable all of them, then selectively add others.
- Windows: Load crash dump in Windbg. Use !analyze -v command. What are the offending files? Search KB for crash information related to offending files.