Description | This article describes how to deal with a Windows BSOD event. |
Scope | FortiEDR |
Solution |
In some cases, a Windows endpoint may suffer from a Windows 'blue screen of death' (BSOD) event when an Endpoint Detection and Response or EPP solution is installed. This can occur for a variety of reasons and requires advanced troubleshooting.
If experienced a Windows BSOD event when FortiEDR Collector is installed, follow the steps below:
1) Ensure the latest general availability (GA) revision of FortiEDR Collector is running.
2) Optional: If there is a third-party EDR or EPP program installed, uninstall it and try to reproduce the BSOD event. A very common root cause of BSOD events is conflicting security products.
3) Configure the operating system to log a 'complete' or 'full' memory dump. The steps can vary slightly depending on the Windows version and more information can be found here https://docs.microsoft.com/en-us/windows/client-management/generate-kernel-or-complete-crash-dump.
3 a) Open the Windows menu, search for 'My Computer' and right-click on the result to choose Properties. 3 b) Search for Advanced System Settings -> Advanced -> Startup and Recovery Settings -> Write debugging information. 3 c) Select 'Complete Memory Dump' and leave the output file location as %SystemRoot%\MEMORY.DMP.
4) Reproduce the Windows BSOD. Windows will then dump its memory stack into %SystemRoot%\MEMORY.DMP that allows to gather it after a reboot.
5) Export the Collector logs. Refer to the Community guide here https://community.fortinet.com/t5/FortiEDR/Technical-Tip-How-to-collect-FortiEDR-Collector-log/ta-p/.... Provide both the Collector logs and Windows memory dump file to Fortinet TAC to perform advanced troubleshooting.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.