Preparing data to display. Please, wait... [EDR Optimum]
Entry posted by svc_kms in Known Problem
6 views
Problem
Using EDR, you may encounter an issue where you're unable to view incident card regarding a detection in KSC Web Console. It looks like this:
Here we will discuss known causes of such behavior (several products are involved, so causes may be different).
Possible causes and solutions
MDR
In MDR, incidents are to be viewed using the dedicated MDR Console, and KSC version 13 and newer with configured MDR plug-in. KSC 12.* Web Console will not receive the data; this is expected behavior.
KES+KEA
If you first install KES without EA component, and then a standalone KEA package, KES EDRO integration will be disabled and killchain will not work.
Here is a quick way to determine if KEA was installed as a component of KES. Open regedit, then navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]
"AntiAPTFeature" = "1"
If the value is 0, proceed to the workaround to enable the component as described below.
To fix this, we ran Change application components task on the host, enabling Endpoint Agent in KES.
If KES/KEA integration is configured correctly, we can find the following in KES traces:
12:08:37.426 0x2a18 INF edr_etw Start processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, recordId = 6, taskId = 1128, result = 0
12:08:37.426 0x2a18 INF edr_etw Start processing actions = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, action = 4, recordId = 6, taskId = 1128, edrAction = 3489660999, result = 0
12:08:37.442 0x2a18 INF edr_etw Killchain is enabled!
12:08:37.442 0x2a18 INF edr_etw SystemWatcher is running!
12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect begin
12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect end
12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::InvestigateProcessIds begin
12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::InvestigateProcessIds end
12:08:37.442 0x2a18 INF edr_etw Finish processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com threat status = 1, recordId = 6, taskId = 1128,result = 0
12:08:37.458 0x1f18 INF edr_etw Finish processing AV detect result = 0
|
Searching for ThreatID in KEA traces:
12:08:37.426 0x2a18 INF amfcd ThreatsProcessingEventsLogic::OnTreatActionImpl: ctx:0x23d68510 [TI 0x1b8dd490: id = 0x6, : tdid = {7F620459-6C51-9E46-9A5D-689A9B0D0098}, name = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, add info: <none>, 0x0] 0x4 0x0
|
KES+KEA (upgrade from KESB to EDR Optimum)
EDR Optimum requires KSC 12.1 or newer to work. This includes the Network Agent, which is a part of KSC, and is generally installed on the host alongside KES.
Using an outdated version of Network Agent (10.5, 11, etc.) will lead to the mentioned error when opening incident cards. If Network Agents were not upgraded along KSC, it's better upgrading them for EDR Optimum.
KES 11.7+
Check that EDR Optimum feature is enabled in registry (GSI > Registry > HKLM_Software_Wow6432Node_KasperskyLab.reg.txt ).
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]
EdrOptimumFeature = 1
If value is 0, run Change application components task on the host, enabling EDR Optimum in KES.
Also in traces (*.SRV.log) you can search for sentence bundles::InstalledFeaturesProvider::InstalledFeaturesProvider and check that EDROptimumFeature is there, for instance in example below such component is missing
KES.21.9.6.465_05.18_14.00_3952.SRV.log
11:00:36.897 0x26a0 INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature) 28 (AdaptiveAnomaliesControlFeature) 0 (AdminKitConnectorFeature) 24 (AdvancedThreatProtectionFeature) 27 (AmsiFeature) 7 (ApplicationControlFeature) 17 (BehaviorDetectionFeature) 30 (CloudControlFeature) 4 (CriticalScanTask) 6 (DeviceControlFeature) 23 (EssentialThreatProtectionFeature) 11 (ExploitPreventionFeature) 8 (FileThreatProtectionFeature) 19 (FirewallFeature) 5 (FullScanTask) 2 (HostIntrusionPreventionFeature) 16 (MailThreatProtectionFeature) 14 (NetworkThreatProtectionFeature) 12 (RemediationEngineFeature) 25 (SecurityControlsFeature) 18 (UpdaterTask) 21 (WebControlFeature) 20 (WebThreatProtectionFeature) 22 (WholeProductFeature) }
|
KSWS+KEA
The same rule applies: KEA component needs to be installed in KSWS. KSWS does not have a "Change application components" task in KSC, so this has to be taken into account during KSWS deployment.
Here is a quick way to determine if KEA was installed as a component of KSWS. Open regedit, then navigate to:
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\\WSEE\11.0\Install]
"Features"="AntiCryptorNAS=0;AntiCryptor=0;AntiExploit=0;AppCtrl=0;AVProtection=0;DevCtrl=0;Fim=0;Firewall=0;ICAPProt=0;IDS=0;Ksn=0;LogInspector=0;Oas=0;Ods=0;RamDisk=0;RPCProt=0;ScriptChecker=0;Soyuz=0;WebGW=0"
(Soyuz needs to be set to 1)
If Soyuz is set to 0, apply workaround to enable it. KSWS allows to change its components locally or via cli.
Here is the example of how to set Soyuz=1 when KEA was installed not as a component of KSWS:
1. Locate ks4ws_x64.msi or ks4ws.msi (depends on OS architecture)
2. Create custom installation package based on ks4ws_x64.msi or ks4ws.msi from p.1 with parameters as per screenshot (add UNLOCK_PASSWORD= if KSWS is protected by password in policy)
3. Deploy package on problematic servers with KSWS and KEA, then check registry that Soyuz=1
4. Check host's properties at KSC side - EDRO should be in Running state in KEA
If KSWS/KEA integration is configured correctly, we can find the following in KSWS traces:
19:57:04.577 7a8 1310 info [edr] Published ThreadDetected:
VerdictName : HEUR:Win32.Generic.Suspicious.Access
RecordId : 0
DatabaseTime : 18446744073709551615
ThreatId : {ffb58079-6d8d-4a62-8ab0-021ff4ed61c5}
IsSilent : false
Technology : 3489661023
ProcessingMode : 3489660948
ObjectType : 3489660934
ObjectName : C:\Windows\System32\wbem\WmiPrvSE.exe
Md5 : e1bce838cd2695999ab34215bf94b501
Sha256 : 1d7b11c9deddad4f77e5b7f01dddda04f3747e512e0aa23d39e4226854d26ca2
UniquepProcessId: 0xf7c807730e051a0d
NativePid : 3360
CommandLine :
AmsiScanType :
AmsiScanBlob :
FileCreationTime: 1601-01-06T23:09:56.075520800Z
|
Searching for ThreatID in KEA traces:
19:57:05.583 704 9b0 debug [bl] ThreatsHandler: detect v2
verdictName: HEUR:Win32.Generic.Suspicious.Access
detectTechnology: 0xd000005f
processingMode: 0xd0000014
objectType: 0xd0000006
objectName: C:\Windows\System32\wbem\WmiPrvSE.exe
nativePid: 3360
uniquePid: 17854528913448180237
nativePidTelemetry: 3360
uniquePidTelemetry: 17854528913448180237
downloaderUniqueFileId: <none>
downloadUrl: <none>
isSilentDetect: false
threatId: ffb58079-6d8d-4a62-8ab0-021ff4ed61c5
19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59675, processed=59675, dropped=0, queueBytes=191
19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59676, processed=59676, dropped=0, queueBytes=132
19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59677, processed=59677, dropped=0, queueBytes=371
19:57:05.583 704 9b0 debug [bl] Threats Handler: event processed, id = 2
19:57:05.584 704 1fc debug [killchain] Message discarded: name = ThreatDetect
|
The verdict is Message discarded, this means the detection won't trigger killchain generation.
No such entries can be found in traces, which might mean that EPP integration is not configured correctly (EDR component is disabled in KSWS).
Check killchain presence on the host
If all pre-requisites are met, it's worth checking if killchain files are actually created on the host. To check that, run cmd.exe as Administrator and check the c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects folder contents. Archives with <threat_id>.zip names should be present in the folder:
C:\WINDOWS\system32>dir "c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects"
Volume in drive C has no label.
Volume Serial Number is 8010-ADC0
Directory of c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects
08/16/2021 12:20 PM <DIR> .
08/16/2021 12:20 PM <DIR> ..
08/16/2021 09:34 AM 636 0349c190-4ac3-4da4-9b64-07835298660f.zip //this is an archive with killchain info
08/16/2021 12:18 PM 696 1d306aa7-f37f-4ab2-969e-d337d398a995.zip
08/16/2021 09:34 AM 637 23a5dc93-5776-43c8-b949-79c102aa1184.zip
08/16/2021 12:19 PM 691 27bc9ea3-200b-49d2-b8b0-df7954cd428a.zip
08/16/2021 12:19 PM 683 40673c70-9e8e-420f-b5ce-65b406862b94.zip
08/16/2021 12:19 PM 688 590b6e30-4509-4b25-bdb0-062f89b7e062.zip
08/16/2021 12:20 PM 693 67993612-dc82-45a2-9e5b-74756adc46eb.zip
08/16/2021 12:20 PM 685 6a892bd1-f452-42d0-80b0-cb953cd7fc26.zip
08/16/2021 12:19 PM 686 a63fbafa-fcef-46f7-935f-42be4392a172.zip
08/16/2021 12:19 PM 699 d9d4f5eb-42b2-4460-8f8a-eb63bbef8791.zip
08/16/2021 12:19 PM 686 f6042624-9840-4a6e-9b30-9270cce22236.zip
11 File(s) 7,480 bytes
2 Dir(s) 240,763,092,992 bytes free
|
0 Comments
Recommended Comments
There are no comments to display.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now