DLP Agent Crash Troubleshooting

book

Article ID: 171182

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Agent crash issues can be frustrating and difficult to address. The steps in this article will guide you through collecting the right data so that support can best assist with the issue. In addition there are some troubleshooting options that may help better identify the cause and possible workaround or solution.

Resolution

Some of the most common solutions to Agent crashes are:

  1. Updating to the latest version and / or maintenance pack of DLP. Many times the crash has already been reported and fixed in a later release. This means that the latest maintenance pack DLP agent should be tested. If possible also test the latest hotfix agent for that maintenance pack agent.

    For example. If a 15.1 agent is crashing then the 15.1 MP1 (current latest MP agent) should be tested. If possible the 15.1.107 (latest HF agent) would be tested.

    Note that a maintenance pack agent (15.1 MP1 in this case) is supported connecting to a non maintenance pack server.
     
  2. Ensure that the proper antivirus exceptions have been added to the system(s). See TECH220235.

If the above solutions do not address the issue or are not viable at this time then it is time to collect data then contact support.

Collecting data

Try to answer the following questions:

  • Can the crash be duplicated? Provide information about how the crash is duplicated. Is it caused by a process like copy / paste or is it a matter of just waiting x amount of time?
  • If the agent crash is caused by a process then is it consistent? I.e. does it always happen or only happen a percentage of the time?
  • Does the crash happen across multiple machines or OS platforms?
  • Is this happening in production or test environments?
  • What percentage of machines are affected?

Next the data needs to be collected. Follow these steps to help gather the needed information:

If the crash can be duplicated then follow these steps:

  1. Turn up the logging via TECH248581
  2. Duplicate the crash
  3. Proceed to the following steps

In all scenarios do the following:

  1. Collect the agent logs as described in TECH222092
  2. Collect the relevant system logs from the client machine
    Windows: System and Application Event Logs
    Mac OSX: ~/Library/Logs/DiagnosticReports/
  3. On the client machine, download and run SymDiag from TECH170735. Collect system information and attach it to the case.
  4. Collect crash dumps from the agent. Default locations are
    Windows: “C:\Program Files\Manufacturer\Endpoint Agent\MemDump”
    Mac OSX: /Library/Manufacturer/Endpoint Agent/MemDumps

Submit the collected information and data to support for analysis.

Third Part Application Crash

When a third party application is crashing and it is believed to be caused by the DLP agent then collect a crash dump from that application. This can be done by using procdump (with -ma and -e switch) or by using Windows Error Reporting.

Note that procdump should not be used with the dlpagent as the dlpagent will generate it's own crash dumps.

Procdump exampe:
procdump -ma -e outlook.exe

This will monitor outlook.exe for an unhandled exception then generate a crash dump when it occurs. Outlook should be running before running the command.

Optional Advanced Troubleshooting

  • Enable / Disable different agent channels (Example: uncheck the local disk or Clipboard) in the agent configuration to determine which could be causing the crash. Disable all of them, then selectivly add others.
  • Windows: Load crash dump in Windbg. Use !analyze -v command. What are the offending files? Search KB for crash information related to offending files.