A misconfigured policy can disrupt detection across channels, particularly for Endpoint Detection Servers. This Knowledge Base (KB) article provides troubleshooting guidance for the Endpoint channel, with steps that also apply to other detection server types, such as Network or Cloud Detection Servers.

16.x

21.x

To identify the problematic policy we would recommend using the process of elimination by disabling the policies during a maintenance period. However, this is not always practical as some environment need continuous coverage of their agents.

Using policy groups and a test detection server we can test so that only the test agents communicating with the test detection server will run without any of the production policy coverage being interrupted.

Follow these steps:

1. Install a new test endpoint detection server and connect it to the console (See Docs)
   
   
2. Once the detection server is installed go to 'System > Servers and Detectors > Policy groups'.
   Note if the Default Policy Group applies to all detection servers (including the new test server). 
   
   
3. Create a new policy group that includes all of the existing endpoint servers but excludes the new test detection server. We will refer to this as the "Production only, No test" group
   
   
4. In the agent overview, assign an agent to the new test detection server. (see KB)
   
   
5. After the agent shows as connected to the test server in the agent overview, verify that the problem can be duplicated on the agent. (All of the policies should be assigned to the new test server via the default group or preexisting Endpoint servers group that includes the test server)
   
   
6. Once we know we can duplicate the problem on the agent, we are ready to start moving the policies to the new group that excludes the test server.
   Use a process of elimination by assigning half of the policies to the new group "Production only, No test".
   
   From 'Policies > Policy List' multiple policies can be reassigned at once by using the check box next to the policy to select them and then using the 'assign group' action at the top of the page and selecting the test policy group "Production only, No test"
   
   
7. On the test agent, once the ps.ead file in the agent folder has updated (see time stamp) the updated policies should be in place (The agent no longer enforce policies assigned to the "Production only, No test" group. Check to make sure the policies moved away from the test server are no longer being enforced to confirm the agent policies are updated as expected and then test to see if the issue occurs.
   
   
8. Repeat steps 6 and 7, using the process of elimination on the remainder of the endpoint policies to remove and add policies from the new "Production only, No test" group until you can identify which specific policy is causing problems on the agent.
   
   
9. Once the specific policy is identified, that policy can be cloned and then assigned to the "Production only, No test" policy group. Simplify the policy by deleting or modifying conditions, testing after each save until the specific rule is identified and corrected.
   
   
10. Once the offending rule is identified and corrected in the cloned policy then apply the changes to the production policy to address the issue on all production machines.