App Control Agent: Agent Cache Corruption

App Control Agent: Agent Cache Corruption

Environment

  • App Control Agent: All Versions

Symptoms

  • The agent cache is more than 1GB in size
  • Files that have been approved in the past, are now being blocked
  • Errors.bt9 file shows frequent and persistent messages similar to the below:
    • Error[database disk image is malformed]
    • Error[HandleCorruptDB: Warning: Agent database appears to be corrupt
    • Error[ValidateConfigListFile Error[Magic mismatch[xxxx] Expected[yyyy]]]
    • Error[CacheDatabase: Database did not pass integrity check]
  • Cache_invalid.bt9 files located in %programdata%\Bit9\Parity Agent\Logs folder. For Windows XP and 2003 they are located in %documents and settings%\all users\application data\Bit9\Parity Agent\Logs.
  • Events with subtype "Agent database error" may show in the console

Cause

The most common cause of agent cache corruption is improper/hard shutdowns. Other reasons could be another product injecting into us/interfering with our operations or an issue with the agent installation.

Resolution

Upgrading to the latest patch helps ensure that any known issue that can cause cache corruption has been addressed, and makes it more likely that the App Control Agent agent will be able to automatically resolve it's cache corruption. Please keep in mind this process will delete the cache.
  1. Open an elevated command prompt and change directory to %programfiles%\Bit9\Parity Agent.

  2. Run the following commands to stop the Parity Agent service:

    • dascli password InsertLocalOrGlobalCliPasswordHere
    • dascli tamperprotect 0
    • net stop parity
    • fltmc unload paritydriver
  3. Browse to %programdata%\Bit9\Parity Agent and delete all of the files with "cache" in it's name. For Windows XP and 2003 they are located in %documents and settings%\all users\application data\Bit9\Parity Agent\Logs.
  4. Run the following commands to start the Parity Agent service:
    • fltmc load paritydriver
    • net start parity
    • sc query parity (check that it shows Running)
    • dascli tamperprotect 1
    • dascli status (confirm agent is connected, has started initializing, and has Tamper Protection re-enabled)

Additional Notes

  • Deleting the agent cache files as shown, will cause the device to re-initialize. If the machine is sensitive to degraded performance or possible blocks we recommend doing this after hours or during a time frame where this is acceptable
  • If you are experiencing the above on more than a handful of devices you may want to consider using the cache integrity check property. Please see related content for more information on that.

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-10-2014
Views:
5989