• BSOD occurs on machines running CB Response Sensor versions 6.2.3 and 6.2.4. 
• Customer experienced BSOD while tamper event is being reported:

# Child-SP          RetAddr           Call Site
00 ffffd001`33fa8678 fffff801`2ab19b68 nt!KeBugCheckEx
01 ffffd001`33fa8680 fffff800`6b5069e8 nt!ExFreePoolWithTag+0xb68
02 ffffd001`33fa8720 fffff800`6b50a99c cbk7!SchannelTLSConnection::destroy+0xd8 [d:\jenkins\workspace\cbr_sensor_win_branch\cbsensor\win\src\carbonblackdriver\schannelcng.cpp @ 292] 
03 ffffd001`33fa8750 fffff800`6b50ae0f cbk7!Tamper::_sendTamperReport+0x544 [d:\jenkins\workspace\cbr_sensor_win_branch\cbsensor\win\src\carbonblackdriver\tamper.cpp @ 1038] 
04 ffffd001`33fa8ad0 fffff801`2a950dd6 cbk7!Tamper::_workerThreadRoutine+0x277 [d:\jenkins\workspace\cbr_sensor_win_branch\cbsensor\win\src\carbonblackdriver\tamper.cpp @ 1394] 
05 ffffd001`33fa8c00 fffff801`2a9d4e66 nt!PspSystemThreadStartup+0x18a
06 ffffd001`33fa8c60 00000000`00000000 nt!KiStartSystemThread+0x16

• CB Response Windows Sensor: 6.2.3 and 6.2.4

• CB-29095: BSOD in SchannelCNG when "extra buffers" are used
• Root cause of issue has been identified to be with a portion of code related to the Sensor

Issue to be addressed in the 6.2.5 Windows Sensors Release, current ETA is Jan 2020.

Two available workarounds to issue: 

1. Disable Tamper Detection on the policy, in the advanced Policy options within the CB Response console. This will disable the piece of code which creates and clears that buffer.
2. Temporarily roll back Sensors to version 6.2.2 , per following instructions: https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-How-to-Downgrade-a-Sensor/ta-p/69734