Hey everyone,

I often find myself referring back to some of the same EPM-W KB articles over and over again, so I thought I'd share below some of my most commonly visited KBs to keep in your back pocket.

1. EPM-W troubleshooting guide: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017077

This one is a great starting point for any EPM-W related troubleshooting steps. EPM-W has three primary components to consider up front, each acting as a variable when troubleshooting an issue. These are:

1. Defendpoint Service
2. PGHook (user space)
3. PGDriver (kernel space)

While I plan to create a separate post in the future to review each of these components and what their roles are, the primary goal of this KB article is to help you with component isolation. In other words, which of the above three components is involved in the issue?

If we can isolate which component of EPM is related to the issue at hand, we can focus our attention on the relevant piece and resolve the problem more efficiently and quickly. Knowing which component is involved is important because depending on the results of our testing, we can take steps to mitigate the issue with varying strategies.

For example, if we go down the line:

• Does disabling the Defendpoint service resolve the issue? If so, we may assume it is policy related.
• Does renaming PGHook resolve the issue? If so, it may be a software compatibility issue, and we may want to look at creating a Hook Exclusion.
• If all else fails, and we see that only by disabling PGDriver.sys does the issue go away, then we may need to consider a Driver Hook Exclusion.
  
  Note: For both types of exclusions, if you find it is necessary to implement a Hook or Driver exclusion as a workaround, please engage BT support for awareness and any further guidance.

2. Hook Exclusions and Managed Hook Exclusions: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017569

I can’t possibly bring up exclusions in #1 without sharing our KB on what these are and how to implement them. This KB article provides key information about exclusions for EPM-W, what they are, what functionality is lost & retained by using them, and how to properly build them into policy.

As an honorable mention to this one, here is our KB on Driver Exclusions as well: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020102

3. Log collection & generating a PGCapture: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017213

Whenever we need to open a case with support, it is important to collect any relevant logs to better help our support team review, analyze, and diagnose the issue.

I always suggest to my EPM customers to first grab a PGCap anytime we need to open a client-related support case, as this will save quite a bit of time up front and help our support team more quickly assess what might be going on.

4. EPM Supported versions & OS compatibility information: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017101

This KB is a nice reference (for both Windows and Mac clients) to confirm which Operating System versions are fully supported.

5. Reducing the amount of events generated by EPM: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0018653

This KB helps guide you through reducing and decluttering the amount of audit events generated by EPM. Whether excessive event generation is causing performance issues, or making log-review more tedious, it is important to consider the hygiene of your environment.

Generally speaking, we want to look at Passive event generation (that is, events which are not Elevation or Block events) and consider whether certain events are necessary to report on.

To reduce potential performance impacts (be it on a client or your appliance), BeyondTrust recommends auditing by exceptions -- in other words, placing a focus on only auditing events which are ‘out of the ordinary’. This includes auditing events such as when a user runs an elevated application, runs an unsigned binary, or attempts to run a blocked application. This will help keep the end user's system (and your Analytics!) as performant as possible.

6. (PM Cloud) Data retention limit of EPM Cloud Analytics FAQ: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019756

This KB provides information around the default data retention limits for EPM Cloud Analytics. The notable limits for EPM events are:

• 90 days for Elevated, On-Demand, Custom Tokens, Blocked, etc. events
• 30 days for Passive events only

As mentioned in #5 above, Passive event collection has the potential to create a huge amount of data, often cluttering Analytics and making it more difficult to find useful information while potentially degrading system performance (depending on the volume of passive data collected).

Starting September 23rd, 2024 we are reducing the retention period of Passive events only down to 30 days. If there is a need to retain Passive event data for longer than 30 days, events can be transferred out of Analytics with a SIEM/S3 bucket integration or via the event API.

For a complete list of EPM event IDs, please see our Admin guide here: https://www.beyondtrust.com/docs/privilege-management/windows/admin/audit-reports.htm

7. Reducing the performance impact of EPM-W: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020208

When we use EPM-W, this has the potential to increase the time of a process launching. While the time increase is typically quite small and negligible, there are circumstances with certain applications which can negatively impact system performance.

This KB helps outline the performance impact of certain policy configurations as well as provides guidance on how to mitigate performance impacts.

8. Conflicts with AV/Endpoint security products for EPM: https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0017099

When running multiples security products in your stack, you may run into various compatibility issues. Exclusions are made to both increase end point performance and to avoid conflicts between security applications.

This KB serves as a reference guide of recommended exclusions for Anti-Virus/on-access scanning to make sure everyone is playing nice.

9. (PM Cloud) Port, IP, SSL, and Domain requirement for EPM SaaS deployments: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019458

This KB is useful as it provides a list of environment requirements needed for EPM when deployed via the Cloud. These requirements are to allow the cloud instance to interact with your local environment.

In line with this KB is this page from our Admin guide, which lists the necessary URLs to allow list depending on your tenant's region: https://www.beyondtrust.com/docs/privilege-management/console/pm-cloud/quickstart/cloud-allowlist-urls.htm

10. (PM Cloud) EPM Adapter Reset tool & Package Manager utility: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020382

While the Adapter Reset tool can be deployed as a standalone tool, it is useful to know that it is built into Package Manager. This KB shows various helpful commands to help maintain adapter health and provides a mechanism to reset an unhealthy adapter to factory default functionality (without having to reinstall manually).

When is this useful? There are several use cases for this but the primary ones that come to mind are:

1. In preparation for machine imaging (e.g. for gold images or managing VDI environments)
2. To reconnect a disconnected or deactivated endpoint from PM Cloud without the need to uninstall / reinstall the adapter

I’ll be adding more to the list as times goes on, but I hope this helps in the meantime!

Thank you,

Neil Hartsfield

Technical Account Manager