|
In some cases, a Windows endpoint may suffer from a Windows 'blue screen of death' (BSOD) event when an Endpoint Detection and Response or EPP solution is installed. This can occur for a variety of reasons and requires advanced troubleshooting.
If experienced a Windows BSOD event when FortiEDR Collector is installed, follow the steps below:
1) Ensure the latest general availability (GA) revision of FortiEDR Collector is running.
2) Optional: If there is a third-party EDR or EPP program installed, uninstall it and try to reproduce the BSOD event. A very common root cause of BSOD events is conflicting security products.
3) Configure the operating system to log a 'complete' or 'full' memory dump. The steps can vary slightly depending on the Windows version and more information can be found here https://docs.microsoft.com/en-us/windows/client-management/generate-kernel-or-complete-crash-dump.
3 a) Open the Windows menu, search for 'My Computer' and right-click on the result to choose Properties.
3 b) Search for Advanced System Settings -> Advanced -> Startup and Recovery Settings -> Write debugging information.
3 c) Select 'Complete Memory Dump' and leave the output file location as %SystemRoot%\MEMORY.DMP.
4) Reproduce the Windows BSOD. Windows will then dump its memory stack into %SystemRoot%\MEMORY.DMP that allows to gather it after a reboot.
5) Export the Collector logs. Refer to the Community guide here https://community.fortinet.com/t5/FortiEDR/Technical-Tip-How-to-collect-FortiEDR-Collector-log/ta-p/....
Provide both the Collector logs and Windows memory dump file to Fortinet TAC to perform advanced troubleshooting.
|
