Issue
On June 5, 2023, an update to Endpoint Detection and Response (EDR) version 1.2.0.389 was released. This release will cause a one-time blue screen of death (BSoD) on Windows Server 2008 R2 or Windows 7 devices during the upgrade from 1.2.0.387, the previous EDR version.
Symptom
A one-time BSoD due to a crash involving flightrecorder.sys.
Environments
- Windows Server 2008 R2
- Windows 7
- Endpoint Detection and Response
- Nebula
- OneView
Cause
The previous EDR plugin version 1.2.0.387 was causing a BSoD on Windows 7 and Windows 2008 R2 devices when the EDR drivers were being unloaded. Updating the EDR plugin automatically stops and restarts the EDR drivers, which may cause a BSoD if running the previous EDR plugin version.
Check plugin version
Check the EDR plugin version to verify if a recent BSoD occurred because of the update, or if the update is still pending. Follow the steps below to check the current EDR plugin version.
- In the console.
- Go to Manage > Endpoints.
- Click on an affected endpoint.
- If in OneView, click See more details. If in Nebula, skip this step.
- Verify the Endpoint Detection and Response version listed under the Agent and plugins or Agent Information sections.
- On the endpoint.
- Hold control and right-click the system tray icon on the endpoint and click About.
- Verify the Endpoint Detection and Response version in the list.
Manually update EDR plugin
The update will be automatically distributed to your endpoints, which may result in a BSoD during business hours. If the EDR plugin is still version 1.2.0.387, follow the steps below to manually check for updates and control when the BSoD occurs.
- Go to Manage > Endpoints.
- Check the checkboxes for the endpoints to update.
- In the top-right, click the ellipsis icon or Actions menu > Check for Agent Updates.
Resolution
If a BSoD occurred as a result of the EDR plugin update, follow the steps below and monitor for additional crashes.
- Power off the machine.
- Power the machine back on.
- Confirm the EDR version is 1.2.0.389 or higher.
- Continue monitoring for any crashes.
If you are still experiencing any crashes with the EDR plugin version 1.2.0.389 or higher, contact Support.