Endpoint searches hang

book

Article ID: 209808

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Endpoint searches appear to be stopped or hung in the SEDR web interface. They do not appear to progress when you monitor them.

The search does not progress

Cause

There is a CPU usage spike that could occur on the SRE service.  Heap starvation may occur and some processes may get blocked indefinitely.

In the epmp_r3.log file Excessive "TokenException" warnings start showing.

Example:
2021-01-23 05:05:46,587 [http-nio-127.0.0.1-8011-exec-15] WARN  c.s.p.identity.tokens.AmqpConnection - AMQP Connection to RabbitMQ [[localhost:5672]:/] successful!
2021-01-27 06:01:06,071 [http-nio-127.0.0.1-8011-exec-185] WARN  com.symantec.platform.r3.router.R3Request - unexpected error parsing the token
com.symantec.platform.identity.tokens.TokenException: invalid_token - General token decode failure: Invalid serialized unsecured/JWS/JWE object: Missing part delimiters

Environment

This will not affect the S550 or 8880 (dell R730) where the SEDR appliance has more than 192 GB of memory installed.  All other appliances could experience this.

Resolution

This is resolved in SEDR 4.6 please upgrade to EDR version 4.6.

Additional Information

TSE see internal notes.

Attachments