You can use the information in this section to understand the nature of each health check event and potential troubleshooting options.

Health Check Events: High Severity

You can use the information in this section to understand the nature of each high severity health check event and potential troubleshooting options. These are serious issues that indicate the agent software is not performing correctly and visibility, detection and protection capabilities will likely experience failures. These must be investigated and resolved before considering a deployment operational.

Note:
Table 1. High Severity Health Check Events, Category: General
Failure Id Health  Check  Name Sub 

Category

Description Troubleshooting
750 NoLoadImageCallback Kernel The agent was unable to register a load image callback routine. Module information may be incomplete. Use the "fltmc" command to determine how many file system filters are installed on the system. If there are more than 4 they error may be expected since Microsoft has restricted the number of filter drivers that can register for image load notification callbacks within the kernel. The parity.sys driver has a fall-back path that should compensate, but it should be investigated if some filters are unneeded since excessive filters can cause interoperability and performance problems. This may also be an indicator of kernel mode malware being active. Collect diagnostic information for further failure analysis.
751 NoProcessCreateCallback Kernel The agent was unable to register a process create callback routine. This may be an indicator of kernel mode malware being active. Collect diagnostic information for further failure analysis.
752 NoThreadCreateCallback Kernel The agent was unable to register a thread create callback routine. This may be an indicator of kernel mode malware being active. Collect diagnostic information for further failure analysis.
777 MismatchKProcessStruct None The agent has incorrectly sized structure. If you see this it likely means that the kernel driver is incompatible with this version of the operating system. Verify that the operating system you installed on is supported in the OER document.
930 FailedToLoadRulesFromReg RegistryOperation Unable to retrieve cached rules from the registry during boot No troubleshooting steps available at this time.
960 ServerCertificateListInvalid Database Server certificate list has been stored but has been determined to be invalid This event will be reported by the App Control Agent when we see the Server Certificate list is not in sync with the App Control server. This health check should ideally get fixed in next poll request. If that fails to clear, one should look into log as to the reason. Another remediation would be to copy the latest TrustedCertList.pem file from server location [C:\Program Files (x86)\Bit9\Parity Server\hostpkg] to agent location [C:\ProgramData\Bit9\Parity Agent] and run dascli importservercertlist TrustedCertList.pem authenticated command to load server certificate list on agent.

Note: Based on your deployment, the App Control server might have different download location for TrustedCertList.pem.

970 MissingTrustedCertList None Missing a server certificate list file Staring with version 8.7 of App Control Windows agent, the TrustedCertList.pem file is stored in C:\ProgramData\Bit9\Parity Agent directory. If this file is missing, then one should copy the latest TrustedCertList.pem file from the server location [C:\Program Files (x86)\Bit9\Parity Server\hostpkg] to the agent location [C:\ProgramData\Bit9\Parity Agent] and run the dascli importservercertlist TrustedCertList.pem authenticated command to load the server certificate list onto the agent.

Note: Based on your deployment, the App Control server might have different download location for TrustedCertList.pem.

980 MissingKeychainJsonFile None Missing a keychain file. Starting with version 8.7 of the App Control Windows agent, the keychain.json file is stored in the directory C:\ProgramData\Bit9\Parity Agent. If this file is missing, one should copy the latest keychain.json file from the App Control server location [C:\Program Files (x86)\Bit9\Parity Server\hostpkg] to the agent location [C:\ProgramData\Bit9\Parity Agent] and run the dascli importkeychain keychain.json authenticated command to load the keychain file.

Note: Based on your deployment, the App Control server might have different download location for keychain.json file.

990 UntrustedServerCertificate None Untrusted server certificate. This healthcheck gives more information about which specific trusted certificate is missing on the agent with detail such as serial number and issuer. This provides more debug info and extends the ServerCertificateListInvalid healthcheck.
Table 2. High Severity Health Check Events, Category: Configuration
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
625 AgentInstalledPerUser None The agent needs to be installed for all users on the machine in order to work properly. Reinstall with ALLUSERS=1 to ensure its installed on a per-machine basis and not per-user. The agent msi needs to be installed for all users of the system in order to work properly. Please uninstall this agent and reinstall with the ALLUSERS=1 command line option. Check for SCCM scripts or GPO installs that are set to install per-user and change to per-machine.
820 AgentUnapprovedCachedMSI None Cached MSI file is unapproved. Potential for uninstall/upgrade failure. Some operations require re-running the installer used to install the agent. If that installer is not approved, blocks may occur when running in high/medium enforcement. A copy of the installer is kept in c:\windows\installer. Look for unapproved files in that directory and approve any installers that you want to allow to run.
860 AgentMissingAbInfoForCachedMsi None The agent does not have an AB for the cached installer file Some operations like repair installs and build to build upgrades require the agent to locate the installer used to install the product which is cached in c:\windows\installer. If this file is missing from agents inventory, its possibly caused by agent not running when the cached installer was written. Run "dascli updatemsiinfo" or computer details action "Rescan installed applications" followed by another healthcheck. If problem persists, a cache consistency check level 3 may resolve this.
Table 3. High Severity Health Check Events, Category: Security
Failure Id Health  Check  Name Sub Category Description Troubleshooting
40 AgentNotSignedByBit9 Tampering The Bit9 agent was signed, but not by Bit9 Its possible your agent installation was tampered with. Look at the signature of the file to verify its authenticity.
430 NotFilteringVolume VolumeTracking Searched through volumes and found one Bit9 is not filtering The parity.sys filter driver is expected to be attached to all supported file system volumes. This check indicates that it is not attached to at least one mounted file system volume. This may be indicative of kernel mode malware activity or possibly an unsupported file system is in use. The parity.sys driver does not presently support volumes using Microsoft CSV (Server 2008 and later) and DAX (Server 2016 and later) storage technologies. As an administrator run the "fltmc instances" command to verify, collect diagnostic data for failure analysis.
470 NotFilteringWindowsSysDir VolumeTracking Bit9 is not filtering the windows system directory The parity.sys filter driver is expected to be attached to all file system volumes. This check indicates that it is not attached to the file system volume that contains the operating system. This may be indicative of kernel mode malware activity. As an administrator run the "fltmc instances" command to verify, collect diagnostic data for failure analysis.
741 BannedLoadedModule Tampering Banned loaded module found in agent process(es) The parity.exe has a dll loaded into it that is a banned image. This can happen if the image is setup to auto run on the system in some manner that happens prior to the startup of the parity agent service. Investigate using the autoruns tools from Microsoft sysinternals. "Dascli images" using the pid of parity.exe as the filter, may be useful to determine the time the image was loaded relative to agent startup. This info is also in analysis.bt9 which is included in each diagnostic capture.
Table 4. High Severity Health Check Events, Category: Fault
Failure Id Health  Check  Name Sub 

Category

Description Troubleshooting
161 AgentDatabaseIsCorrupt Database Corrupt database detected Corrupt databases are most often caused by abrubt stops of the system agent. Look in the windows event log for any application or system crashes or hard power resets. Agent restart events without prior Agent shutdown events are another good indication of unclean shutdown. If crashes are seen, collect memory dumps and contact support. If user is hard resetting the machine, advise them to shutdown the system properly. If this continues to be a problem, you can consider running the database in a less performant but less likely to become corrupt mode.
200 CryptoHashAttemptFailed Cryptographic Microsoft or Bit9 sha256 hash attempt returned an error The version of the operating system in use may not support the use of SHA256 hash functions. This will impact the ability of this agent to correctly enforce any policies sent to it that rely on SHA256 hash values. Microsoft has published KBs to enable SHA256 hash functions for older operating systems, these should be deployed.
220 FilterDriverCommsError Kernel Comm attempt between agent and filter driver did not succeed This is often due to a mis-match in version between parity.exe (found in the agent install directory) and parity.sys (found in %systemdir%\drivers). Visually verify the file version details. If they differ, collect logs for failure diagnosis and re-install the agent.
221 FilterDriverBlocked Kernel Secure Kernel Extension Loading is blocking agent kernel from loading

macOS 10.13.4 Kext Approval Changes

Kernel Extension Approval for macOS 10.13 (High Sierra) - Cb Response

260 FilterDriverVersionMismatch Kernel Filter driver version doesn't match agent's version This usually is a result of failed upgrades that leave mismatched agent and kernel versions. A repair install may help the situation. Afterwards a CC3 is recommended since during the period when driver and agent are mismatched files may have been modified that were not tracked.
510 FilteringVolumeHasTagMismatch VolumeTracking Bit9 is filtering a volume but received unexpected communications. The parity agent and parity.sys driver performed an internal test operation to block a file system operation with a specific error code. The operation was recieved by the parity agent with a different error code than was expected. This can indicate that another filter driver has modified the file system operation. This can also be an indicator of kernel mode malware activity. This healthcheck is an indicator that the system may behave unpredictably due to conflicting policies between parity.sys and some other filter driver. The "fltmc" command can be useful to identifying filter drivers 'higher' in the file system stack than parity.sys.

Health Check Events: Medium Severity

You can use the information in this section to understand the nature of each medium severity health check event and potential troubleshooting options. These issues will cause some use cases to fail but not affect others.

Note:
Table 5. Medium Severity Health Check Events, Category: General
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
380 DriverWithoutInstances Kernel Filter driver is present but no instances are loaded The parity.sys filter driver loaded successfully, but has failed to attach to any of the file system volumes on the system. This can be verified using the 'fltmc instances' command from an elevated admin command prompt. This may indicate kernel mode malware is present.
550 BlocksDuringBoot Kernel Files were blocked during system boot This event is issued when the system is booted into safe-mode to bring visibility that during the last normal boot files where blocked. The blocked file events should be investigated as possible causes of the failure of the previous normal boot attempt and addressed as appropriate.
615 AgentLowDiskSpace None The volume where the agent stores its data files is low on disk space The volume where the agent is storing application data is running low on space which could impact functionality if space becomes exhausted. Contact user to try and free up more space. The health check warning threshold can be adjusted with the min_disk_space_warn_threshold_bytes agent config property.
735 ServicesReconfiguredRebootRequired None A system reboot is required in order for Windows Update services to function properly The installer reconfigured the wuauserv and BITS services from type "own" to type "shared". Windows updates will not work until system is restarted. Reference: DOC-5128 on user exchange
760 ImageClassificationExpansionError Kernel The kernel image classification table is incomplete. This is triggered when the agent fails to identify a service executable or dll. It typically means either the service the agent expects is not installed, or its registry infromation is corrupted/modified. In addition to agent capture, please also collect an export of the HKLM\System\CurrentControlSet\Services\<ServiceName> key.
762 AgentCLIListenerError None The agent was unable to open a socket to communicate with dascli.exe This usually indicates firewall rules are blocking local loopback communication. You can also verify that the agent is listening on the CLI port by running "netstat -p TCP -b -p" and confirming that you see an entry that indicates parity.exe has an "127.0.0.1:3142" socket that is open and listening.
774 AgentInaccurateOutstandingEvents None The agents outstanding event count does not reflect the number of events in its database This indicates the agent's in memory count of outstanding events does not match the outstanding events in the database. Collect a process dump via taskmgr and an agent capture.
775 AgentInaccurateOutstandingReports None The agents outstanding file report count does not reflect the number of events in its database This indicates the agents in-memory count of the number of outstanding file reports doesn't match the number of file reports in the database. Collect a process dump via taskmgr and an agent capture.
776 PersistABFailure None The agent was unable to persist files. Enforcement from boot will be limited This indicates the kernel driver was unable to persist information about which files are unapproved/banned which is needed for proper boot-time time enforcement. An info-level (k4) kernel trace of a system shutdown will likely be needed to figure out why persistence failed. Also check for other security products that may restrict writes to the registry.
877 AgentMissingAppDir None Agent was unable to locate where windows apps are stored (FOLDERID_AppsFolder). The agent uses the FOLDERID_AppsFolder to expand some policy rules to match local system configuration. If the local system does not have a FOLDERID_AppsFolder configured any rule that references this will not function correctly on this system. Review to ensure this is intended system configuration.
878 AgentMissingWindowsDir None Agent was unable to locate the windows directory. The agent uses the windows folder to expand some policy rules to match local system configuration. If the local system does not have a windows folder configured any rule that references this will not function correctly on this system. This is unlikely to be a correctly configured windows system since lacking this folder definition implies that windows is not installed.
880 AgentBasicSSLUnavailable None Agent is unable to connect to server using Basic SSL The agent is unable to communicate with the server using SSL even using weak certificate chain validation. This typically indicates a server or firewall misconfiguration.
Table 6. Medium Severity Health Check Events, Category: Configuration
Failure Id Health Check Name Sub

Category

Description Troubleshooting
560 AgentProtocolOverrideInEffect Communication Agent is using protocol overrides even though server is compatible with agent version Check to see if the protocol_message_versions agent config property is set and remove it or update it to match the new server protocol version.
565 AgentFIPSInitializationError Communication Agent was unable to initialize OpenSSL in FIPS compliant mode This indicates that the FIPS_Mode_Set API failed. See opensll documentation for possible reasons: https://wiki.openssl.org/index.php/FIPS_mode_set()
610 SMBNameCachingDisabled Kernel SMB Name caching is disabled which can lead to poor performance when accessing network shares (XP-only) The machine is not configured to cache SMB names, which can lead to poor performance when accessing network shares. See Microsoft Knowledge Base article KB834350. This healthcheck should only apply to Windows XP based systems.
761 WrongServiceUser None The agent service is not running with the correct user account. Parity.exe is expected to run as Local System (S-1-5-18) in order to ensure it has the appropriate permissions to access all files on local volumes. Use services.msc to ensure that parity runs as this user account (changes require disabling tamper).
770 InstallDirectoryMisconfigured None The agent service is running from a different location than it was installed. Verify parity.exe is installed in the directory you want it to. Then validate that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ParityDriver\Parameters\[ParityAgentInstallPath] and HKEY_LOCAL_MACHINE\SOFTWARE\<Wow6432Node>\Bit9\Parity Agent\[ParityAgentInstallPath] match that directory. If they don't, the agent may need to be uninstall/reinstalled.
771 WrongKernelOSMajor Kernel The kernel was built for a different major version of the OS. Reinstall may be necessary The parity.sys driver that is running was not intended to run on this OS. This typically means an OS upgrade was performed or the agent was installed on an unsupported platform. In 7.2.2+ releases a repair install can be done to update the driver. After repair, a CC3 may be needed to correct the agent inventory.
773 IncompatibleFilterMgr Kernel The version of FltMgr installed is not compatible. System update may be necessary. This indicates the agent detected a difference in internal kernel structures. This could lead to system instability. Confirm that the agent is running on a supported operating system by looking at the OER.
800 AgentProductCodeMismatch None ProductCode in the cached MSI is unexpected. Potential for uninstall/upgrade failure This means the system thinks one version of the product is installed but parity.exe is a different version. Run "dascli updatemsiinfo" to force a rescan of the installed applications and then run "dascli healthcheck" to see if the problem goes a way (can also do these actions from computer details page). If the problem does not go away, then a repair install may be necessary.
810 AgentUpgradeCodeMismatch None UpgradeCode in the cached MSI is unexpected. Potential for uninstall/upgrade failure The installed agent's MSI package has an unexpected 'UpgradeCode' property value that will cause future agent upgrades or uninstalls to fail to behave correctly. Support may be able to provide an uninstall tool to remove the agent to correct this corruption.
830 AgentMissingSourceMSI None The agent's source MSI is missing The agent's installation MSI could not be located in the MSI cache. This will cause future upgrades, uninstalls or repairs to fail. It may be necessary to contact support for an agent uninstall tool.
840 AgentInaccessibleSourceMSI None The agent's source MSI is inaccessible The agent's install MSI exists in the MSI cache, but could not be opened. This will cause future agent upgrades, uninstalls or repairs to fail. Check that the file is readable. It may be necessary to contact support for an agent uninstall tool.
861 PrelinkEnabled None Prelink is currently enabled which is not recommended by Carbon Black. If prelinking is enabled, the system will periodically modify the contents of binaries in order to optimize load time. Because the hash changes, those files will become unapproved if no other approval mechanism is in place. It will also make it more difficult to track a binary speading across a network since the hash will be unique per-endpoint. Carbon Black recommends disabling prelinking since the performance benefits it gives are minimal and the security/operational downsides are substantial. You can disable prelinkg by editing /etc/sysconfig/prelink and changing the PRELINKING=YES line to PRELINKING=NO.
862 InstalledLinuxKernels None System has unsupported kernel versions installed. No troubleshooting steps available at this time.
875 NoYaraRules None Agent is missing yara rules. The 8.0 and later versions of the agent internally use Yara rules to determine what type of file is being accessed as part of enforcing the policy. These rules are downloaded from the server in a encrypted zip file called yara.bt9 from the agent download location using HTTPS. This healthcheck specifically indicates that the agent has no yara rules, which can happen for multiple reasons. Without a yara rules package the agent will fall back to a more limited set of hardcoded file identification logic but functionality may be impacted without current yara rules. If healthcheck 882 is also present, it may be the case that the agent is unable to reach the agent download location on the server. On some networks port 443 may be blocked to the server from deployed agents and it will be necessary to establish an alternative download location for the yara.bt9 rules patch. See documentation on server advanced configuration settings. Alternatively it is possible to manually deliver the yara.bt9 rules to an agent using the "dascli yara" command. In the case that the agent has a yara rules file, check for healthcheck 876 as well as that may indicate that the yara rules could not be extracted from the yara.bt9 file.
876 NoYaraKey None Agent is missing the key used to decrypt yara rules. The yara.bt9 rule file is encrypted using a key generated by the server and sent to agents as a configuration property. This key value is missing. Check that the agent can communicate with the server and that its CL version is up to date, a cl refresh (computer details - resend all policy rules) may be required.
882 NoYaraRuleFile None Agent is missing or unable to access the yara rule file. The 8.0 and later versions of the agent internally use Yara rules to determine what type of file is being accessed as part of enforcing the policy. These rules are downloaded from the server in a encrypted zip file called yara.bt9 from the agent download location using HTTPS. This healthcheck specifically indicates that the agent has no yara.bt9 file, which can happen for multiple reasons. Without a yara rules package the agent will fall back to a more limited set of hardcoded file identification logic but functionality may be impacted without current yara rules. Check that the yara.bt9 file is present and readable in the agent data directory. If no yara.bt9 file is present it may be the case that the agent is unable to reach the agent download location on the server. On some networks port 443 may be blocked to the server from deployed agents and it will be necessary to establish an alternative download location for the yara.bt9 rules patch. See documentation on server advanced configuration settings. Alternatively it is possible to manually deliver the yara.bt9 rules to an agent using the "dascli yara" command.
Table 7. Medium Severity Health Check Events, Category: Security
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
10 AgentFileValidationFailure Tampering Signed Bit9 agent did not pass file validation The agent was unable to validate its own signature because the agent's file hash did not match the signature. This may indicate tampering with the agent installation. Investigate and re-install.
30 AgentCertValidationFailure Tampering Signed Bit9 agent did not pass certificate validation The agent was unable to verify its own signature using the platform WinVerifyTrust() API. This may indicate that the local system does not have an up to date trusted root certificates list - run windows update. This can also indicate that the digital signature has been tampered with.
50 AgentNotSigned Tampering Bit9 agent is not signed Confirm with windows explorer whether parity.exe is in fact missing a signature. If it is missing, you likely have an unofficial test build and not a production release. Its also possible you have a modified copy of the product.
280 NoRegistryProtection RegistryOperation Registry protection is not operational This indicates that a registry block rule did not successfully block a registry modification which usually indicates the kernel is not operational. Verify kernel driver is running. Verify no registry rules are allowing all operations to proceed. Verify other security products and/or malicious drivers are not circumventing CB Protection.
300 AgentNotSetToAutoStart Tampering Agent is not configured to auto start Verify that HKLM\System\CurrentControlSet\Services\Parity\[Start] is set to 2.
310 AgentNotRunning Tampering Agent is not running The parity.exe process is running, but is not in a 'running' state as a windows service. Collect an agent capture.
320 AgentNotFound Tampering Agent is not a registered service The parity.exe process is running, but could not find itself as a registered service. Check the service control panel to verify. Verify that HKLM\System\CurrentControlSet\Services\Parity exists and does not have a 'DeleteFlag' value set to '1' within it.
330 DriverNotSetToLoadAtBoot Tampering Filter driver not configured to load at boot time Verify that HKLM\System\CurrentControlSet\Services\ParityDriver\[Start] is set to 0.
340 DriverNotRunning Tampering Filter driver is not running Verify that parity.sys exists in c:\windows\system32\drivers and its file signature and version is correct. Try to load it by launching an administrator cmd prompt and running "fltmc load paritydriver". If you see errors indicating the system does not accept the digital signature, it may mean you are running a version of the product that does not support that version of windows.
350 DriverNotFound Tampering Filter driver is not a registered driver A repair install is likely necessary to reinstall the driver service. Afterwards a CC3 is recommended to pick up any files modified when agent was not tracking.
390 DriverNotFoundWithEnum Kernel Failed attempt to find filter driver during kernel driver enum The parity.sys driver did not appear in a system enumeration of device drivers. This can sometimes occur due to flaws in the system API on older versions of Windows prior to Vista, but often times can indicate kernel model manipulation of data structures used to track device drivers. Such manipulation may be malicious and indicate kernel mode malware is present.
410 RegistryInstallLocationNotValid Tampering The Bit9 install location (registry value) was not valid Open up regedit and look in HKEY_LOCAL_MACHINE\SOFTWARE[\Wow6432Node\]Bit9\Parity Agent\ There should be a key ParityAgentInstallPath and ParityAgentDataPath that match where the agent binaries and data is stored. This should match the value in HKLM\System\CurrentControlSet\Services\ParityDriver\Parameters except that you will see the volume guid instead of the dos drive letter.
490 DriverNotAttachedToVolumne VolumeTracking Attempt to find filter driver attached to volume failed The parity.sys driver reported a volume that it is not attached to. The parity.sys filter driver is expected to be attached to all file system volumes that contain supported file systems. This may be indicative of kernel mode malware activity. As an administrator run the "fltmc instances" command to verify, collect diagnostic data for failure analysis.
500 FileWriteBlockTestFailed FileOperation Bit9 did not block a write (to a test file) as expected A test operation was conducted to ensure that the parity.sys driver is able to block write access to files. The test file however was successfully opened for write access. This could indicate a problem with parity.sys filtering the volume. "fltmc instances" from an elevated admin command prompt should show if the parity.sys driver is attached to all volumes. This event could also indicate kernel mode malware activity.
742 UnapprovedLoadedModule Tampering Unapproved loaded module found in agent process(es) The parity.sys driver has detected that the parity.exe agent is running one or more unapproved modules in its process space. There can be multiple reasons for this. A common scenario is unapproved system files. Review the unapproved files and determine if they should be approved. Another scanario can be caused by various techniques for code injection from 3rd party applications. Tools such as sysinternals autoruns can be helpful in indentifying the source of the unapproved software. Either the software should be approved or removed from the parity.exe process. This event can also indicate kernel model malware activity.
Table 8. Medium Severity Health Check Events, Category: Certificates
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
130 DummyFileSignedButExpectedUnsigned Tampering (server.id) file expected to be unsigned was found to be signed A file installed by the agent that is known to not be signed was reported as signed by the WinVerifyTrust() platform API. This is a strong indicator of runtime tampering of the agent.
540 AgentEmtpyCertificateStore Cryptographic Empty certificate store This results from an internal consistency check between a cached view of a certificate store and the underlying certificate store. Specifically if the cached view shows the store having certificates in it, but the underlying certificate store is empty. Collect d6 and an agent capture along with a dump of the local system certificates store (you can use the mmc certificates snap-in to do this).
Table 9. Medium Severity Health Check Events, Category: Fault
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
190 CryptoHashMismatch Cryptographic Microsoft / Bit9 sha256 hash mismatch for same sample data The agent has detected an inconsistency in the hash value calculated using the Microsoft platform hash provider and a built in hash routine. This may indicate the operating system in use may not support the use of SHA-256 hash functions. This will impact the ability of this agent to correctly enforce any policies sent to it that rely on SHA256 hash values. Microsoft has published KBs to enable SHA256 hash functions for older operating systems, these should be deployed.
210 FilterDriverCommsTagMismatch Kernel Communication tag from filter driver didn't match The initial hand-shake message between the agent and the kernel was not returned correctly. This can indicate kernel mode malware or a potential version mis-match between parity.exe and parity.sys. Collect logs for failure diagnosis and re-install the agent.

Health Check Events: Low Severity

You can use the information in this section to understand the nature of each low severity health check event and potential troubleshooting options. These issues are unlikely to cause any functional failures but indicate that something is not as it should be (such as mismatched kernel and agent versions that are otherwise communicating and protocol-compatible).

The low severity tables below are broken up by category.

Note:
Table 10. Low Severity Health Check Events, Category: General
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
170 AgentChangeToSystemTimeSinceInstall TimeChange Unexpected large change in system time since install Use windows events to check whether a time change actually occurred or not and by which user account. Verify with user why the time was changed to confirm it was not done for nefarious reasons. Look in Carbon Black event logs to see if events were reported with the timestamp before/after the time change. Versions prior to 8.0 will also report this if the agent is older than 5 years
180 AgentChangeToSystemTimeSinceStart TimeChange Unexpected large change in system time since agent start Use windows events to check whether a time change actually occurred or not and by which user account. Verify with user why the time was changed to confirm it was not done for nefarious reasons. Look in Carbon Black event logs to see if events were reported with the timestamp before/after the time change. Versions prior to 8.0 will also report this if the system uptime is greater than 180 days, this can be controlled by setting max_seconds_between_restart_for_healthcheck to some larger value.
370 DriverAtUnexpectedAltitude Kernel Filter driver at an unexpected altitude ParityDriver should be running at the Microsoft assigned altitude of 329050. Run "fltmc" from an administrator command prompt to see what the current altitude is. It can be changed by disabling tamper protection and modifying: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ParityDriver\Instances\Bit9 Security\[Altitude]
590 MissingProcessForService Kernel The agent does not know about a running service No troubleshooting steps available at this time.
600 IncorrectProcessStateForService Kernel The process associated with a windows service was not classified correctly No troubleshooting steps available at this time.
778 KernelAssertionsDetected None The kernel has detected internal errors. This indicates that an internal assertion check failed. These checks exist to verify that inputs match expected parameter ranges. Unexpected inputs may not be handled correctly. Collect an agent capture. The actual errors will either by in errors.bt9 or the kernel etl file.
879 AgentStrongSSLUnavailable None Agent is unable to connect to server using Strong SSL This healthcheck exists to inform you that this agent can not communicate with the server using strong SSL certificate validation. This may be due to the server using a self-signed certificate that has not be imported as a trusted root certificate on the local system. Strong SSL should not be enabled (refered to as Certificate Verification on the System Configuration-Security tab) on the server until all agents that are intended to communicate with the server pass this healthcheck since agents will be unable to communicate once that setting is enabled.
881 AgentInternalInconsistency None Agent detected an internal inconsistency No troubleshooting steps available at this time.
883 IncompatibleSSLProtocolFlags None Agent has both SSLv2 and TLS1.2 SSL protocol flags enabled, these are mutually exclusive, SSLv2 will be dropped. This healthcheck indicates that the agent config property 'winhttp_secure_protocol_flags' contains both TLS 1.2 and SSLv2 flags, these are mutually exclusive protocol flags. The agent will ignore the SSLv2 flag.
900 AgentNonDefaultPackageName None MSI Source Package name is set to non-default value. This may break future repair installs or upgrades. No troubleshooting steps available at this time.
910 FailedToHook None Agent failed to install hook No troubleshooting steps available at this time.
920 AgentOutOfDate TimeChange Unexpected long time since install (agent may be out of date) This is reported if the agent is older than 5 years
940 MissingBackupConfigList Database Missing a backup config list file No troubleshooting steps available at this time.
Table 11. Low Severity Health Check Events, Category: Configuration
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
660 InstallDirFileUnexpectedMetadata None The install directory contains a file with unexpected metadata No troubleshooting steps available at this time.
772 WrongKernelOSMinor Kernel The kernel was built for a different minor version of the OS. Reinstall may be necessary. No troubleshooting steps available at this time.
Table 12. Low Severity Health Check Events Category: Security
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
20 AgentCertRevocationCheckUnable Tampering Unable to check for certificate revocation for Bit9 agent No troubleshooting steps available at this time.
570 CarbonBlackDisabled Tampering Carbon Black EDR is installed but is currently disabled No troubleshooting steps available at this time.
580 CarbonBlackNotRunning Tampering Carbon Black EDR is installed but is not running No troubleshooting steps available at this time.
595 AgentServiceStoppable Tampering The agent's service is allowed to be stopped by administrators No troubleshooting steps available at this time.
620 InstallDirEmpty Tampering The install directory is empty No troubleshooting steps available at this time.
630 InstallDirUnexpectedFile Tampering The install directory contains an unexpected interesting file No troubleshooting steps available at this time.
640 InstallDirUnsignedFile Tampering The install directory contains an unsigned file No troubleshooting steps available at this time.
650 InstallDirUnexpectedPublisher Tampering The install directory contains a file signed with a certificate from an untrusted publisher No troubleshooting steps available at this time.
670 InstallDirInvalidCertificate None The install directory contains a file with an invalid certificate No troubleshooting steps available at this time.
680 InstallDirFileNoMetadata None The install directory contains a file with no metadata No troubleshooting steps available at this time.
690 InstallDirUnexpectedApprovalReason None The install directory contains a file with an unexpected approval reason No troubleshooting steps available at this time.
700 InstallDirUnexpectedFileCount None The install directory contains an unexpected number of files No troubleshooting steps available at this time.
710 InstallDirNoDriverCheck None The install directory health check failed to include the driver(s) No troubleshooting steps available at this time.
720 InstallDirUnapprovedFile None The install directory contains an unapproved file No troubleshooting steps available at this time.
730 ServiceFailureActions None The service is not properly configured to auto-restart after failure No troubleshooting steps available at this time.
740 RemoteLoadedModule Tampering Loaded module from remote location found in agent process(es) No troubleshooting steps available at this time.
Table 13. Low Severity Health Check Events, Category: Certificates
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
70 DetachedFileValidationFailure FileOperation (Detached cert) Signed file did not pass file validation No troubleshooting steps available at this time.
80 DetachedCertValidationFailure FileOperation (Detached cert) Signed file did not pass certificate validation No troubleshooting steps available at this time.
90 DetachedNotSignedByMicrosoft FileOperation (Detached cert) The file was signed, but not by Microsoft No troubleshooting steps available at this time.
100 DetachedFileNotSigned FileOperation (Detached cert) File is not signed No troubleshooting steps available at this time.
Table 14. Low Severity Health Check Events, Category: Fault
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
160 AgentDatabaseIsInaccessible Database Failed attempt to write and read back a small value from the database No troubleshooting steps available at this time.
162 AgentDatabaseBackupFailed Database The last attempt to backup the database failed No troubleshooting steps available at this time.
163 AgentDetectedUncleanShutdown Database The agent database was not closed properly, usually indicative of a crash or power failure which can lead to data loss or cache corruption No troubleshooting steps available at this time.
164 AgentDatabaseIsLarge Database The agent database is larger than the currently configured safe maximum size. No troubleshooting steps available at this time.
165 AgentDatabaseIsGrowingFast Database The agent database is growing too fast. Check if the cache database is growing faster than a configurable maximum growth rate (max_cache_growth_rate_percentage_for_health_check). Increasing this parameter will reduce the chance for this health check to trigger.

Health Check Events: Test Failure Severity

You can use the information in this section to understand the nature of each test failure severity health check event and potential troubleshooting options. These issues indicate that a specific health check test could not be executed.

Note:
Table 15. Test Failure Severity Health Check Events, Category: General
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
120 DetachedCannotFindWindowsDir Dependency (Detached cert) Cannot locate the windows directory No troubleshooting steps available at this time.
230 FilterDriverEventReports None Filter driver reported health check failures to agent's health check poll No troubleshooting steps available at this time.
460 GetWindowsSystemDirectoryFailed FileOperation Unable to find the windows system directory No troubleshooting steps available at this time.
535 MissingUSNJournal VolumeTracking Agent is unable to retrieve USN change journal information from NTFS volume. This could result in lack of visibility to files modified when agent is not running. No troubleshooting steps available at this time.
753 MissingProcess Kernel The agent service process was not found in the kernel's list of tracked processes. No troubleshooting steps available at this time.
Table 16. Test Failure Severity Health Check Events, Category: Configuration
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
850 AgentMissingStaticMsiInfo None The agent does not have static MSI info for the installer No troubleshooting steps available at this time.
Table 17. Test Failure Severity Health Check Events, Category: Security
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
450 OpenVolumeInstanceFailed VolumeTracking Attempt to open a volume instance failed No troubleshooting steps available at this time.
530 NotFilteringDueToAccessOrError VolumeTracking Bit9 not filtering volume due to an access restriction or some error No troubleshooting steps available at this time.
Table 18. Test Failure Severity Health Check Events, Category: Certificates
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
60 AgentCannotOpenForCertCheck Dependency Cannot check file for signing, validation, or revocation because can't open Look for other security products on the system that may interfere with agent operations. Also validate the file system permissions allow read access to the agent instllation directory to the "SYSTEM" user. A procmon log running while doing a "dascli healthcheck" may also help identify why the agent is unable to open the file.
110 DetachedCannotOpenForCertCheck Dependency (Detached cert) Cannot check file for signing, validation, or revocation because can't open No troubleshooting steps available at this time.
140 DummyCannotOpenForSignatureCheck Dependency (server.id) Cannot check file for unsigned status because can't open No troubleshooting steps available at this time.
Table 19. Test Failure Severity Health Check Events, Category: Fault
Failure Id Health Check Name Sub 

Category

Description Troubleshooting
150 SystemCryptoLibValidationFailure Dependency Cannot validate crypo library or validation failed No troubleshooting steps available at this time.
240 FilterDriverEventInvalid Kernel Filter driver reported invalid results to agent's health check poll No troubleshooting steps available at this time.
250 FilterDriverEventUnable Kernel Comms error prevents agent from polling kernel for health check No troubleshooting steps available at this time.
270 FilterDriverVersionCheckUnable Kernel Unable to check filter driver version against agent's version No troubleshooting steps available at this time.
290 CannotVerifyRegistryProtection Kernel Filter driver responded to registry check but with unexpected communications No troubleshooting steps available at this time.
360 GetOSVersionInfoFailed Dependency Call to GetVersionEx failed No troubleshooting steps available at this time.
400 CannotEnumerateDrivers Dependency Attempt to enumerate kernel drivers failed No troubleshooting steps available at this time.
440 ErrorDuringVolumeSearch VolumeTracking While searching through volumes for Bit9 filtering, an error occurred No troubleshooting steps available at this time.
480 VolumeGuidEnumerationFailed VolumeTracking Attempt to enumerate volume GUIDs failed No troubleshooting steps available at this time.
520 FilteringVolumeButNotValidated VolumeTracking Bit9 is filtering a volume but could not validate communications No troubleshooting steps available at this time.