App Control: How To Enable Repeated BSOD Prevention
search cancel

App Control: How To Enable Repeated BSOD Prevention

book

Article ID: 286560

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Prevent repeated blue screens due to Policy Enforcement by Agents on endpoints. 

Environment

  • App Control Agent: 8.9.2+
  • Microsoft Windows: All Supported Versions

Resolution

Warning: While in the Override (Visibility) the Agent will not enforce any Custom Rules or Bans until moved back into a Control Mode.
  1. Log in to the Console and navigate to: https://ServerAddress/agent_config.php
  2. Click Add Agent Config and use the following details:
    • Name: Repeated BSOD Prevention (or something memorable)
    • Host ID: 0
    • Value: Change X for the number of BSOD occurrences desired before triggering a move to Visibility on the next reboot.
      kernelEnforcementOverrideDirtyLoadMaxCount=X
    • Platform: Windows
    • Status: Enabled
    • Create For: Relevant Policies
  3. Click Save.

Additional Information

  • This feature is disabled by default.
  • This prevention can aid in the event a critical operating system process is being blocked due to an improper Custom Rule or File Ban.
  • When the specified number of blue screens are detected, the Agent will move to a Visibility Policy, preventing further occurrences.
  • Once the Agent starts successfully, a timer will move the Agent out of the Override after reaching the time specified in unsettled_enforcement_override_time_minutes
  • By default, unsettled_enforcement_override_time_minutes is set to 10.
  • A future Health Check will be introduced to alert on this override (EP-19497)