BSOD Management in Windows Sensor

The Windows Sensor includes a BSOD (Blue Screen of Death) detection and recovery mechanism, designed as a safety feature to prevent the Cyberhaven Sensor driver from entering a continuous restart loop if a BSOD is detected.

Key Components and Processes

• Primary Process: CyberhavenSystemMonitor

• Registry Keys Updated Periodically:

  • LastStartTime

• Registry Keys Created Upon System Failure:

  • FirstDetectedFailure
  • SystemFailures

How It Works

The Sensor process, CyberhavenSystemMonitor, periodically monitors and updates registry values located at HKLM\SOFTWARE\Cyberhaven\Driver.

Normal Operation

When the system runs normally, CyberhavenSystemMonitor updates the LastStartTime registry key with the current time just before starting the driver.

System Failure Detection

When a system failure is detected, CyberhavenSystemMonitor creates the following registry keys.

• FirstDetectedFailure: Logs the timestamp of the first detected failure.
• SystemFailures: Tracks the number of system failures.

If the SystemFailures count reaches three within a 24-hour period, CyberhavenSystemMonitor initiates the following protective actions.

• Disables the Cyberhaven Driver, preventing further issues from repeated BSODs.
• Adds a DisabledTime key to the registry to record the exact time the driver was disabled.
• The Endpoint Status in the Console is updated to display Non-functional Sensor.

Restarting the Driver

To restart the Cyberhaven Sensor driver after it has been disabled,

• In the driver_safeguards remote configuration, set the reset_timestamp to a time later than DisabledTime. Setting the time to the current UTC time will re-enable the driver.
• CyberhavenSystemMonitor resets the relevant registry entries, clearing the SystemFailures count back to 0.