Jump to content

Preparing data to display. Please, wait... [EDR Optimum]


Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

Using EDR, you may encounter an issue where you're unable to view incident card regarding a detection in KSC Web Console. It looks like this:

image.png.8cc6dd0fd60106ec5f2abce26218d6ec.png

Here we will discuss known causes of such behavior (several products are involved, so causes may be different).

Possible causes and solutions

MDR

In MDR, incidents are to be viewed using the dedicated MDR Console, and KSC version 13 and newer with configured MDR plug-in. KSC 12.* Web Console will not receive the data; this is expected behavior.

KES+KEA

If you first install KES without EA component, and then a standalone KEA packageKES EDRO integration will be disabled and killchain will not work.

Here is a quick way to determine if KEA was installed as a component of KES. Open regedit, then navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]

"AntiAPTFeature" = "1"

If the value is 0, proceed to the workaround to enable the component as described below.

To fix this, we ran Change application components task on the host, enabling Endpoint Agent in KES. 

If KES/KEA integration is configured correctly, we can find the following in KES traces:

12:08:37.426    0x2a18    INF    edr_etw    Start processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, recordId = 6, taskId = 1128, result = 0
12:08:37.426    0x2a18    INF    edr_etw    Start processing actions = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, action = 4, recordId = 6, taskId = 1128, edrAction = 3489660999, result = 0
12:08:37.442    0x2a18    INF    edr_etw    Killchain is enabled!
12:08:37.442    0x2a18    INF    edr_etw    SystemWatcher is running!
12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect begin
12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect end
12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::InvestigateProcessIds begin
12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::InvestigateProcessIds end
12:08:37.442    0x2a18    INF    edr_etw    Finish processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com threat status = 1, recordId = 6, taskId = 1128,result = 0
12:08:37.458    0x1f18    INF    edr_etw    Finish processing AV detect result = 0

Searching for ThreatID in KEA traces:

12:08:37.426    0x2a18    INF    amfcd    ThreatsProcessingEventsLogic::OnTreatActionImpl: ctx:0x23d68510 [TI 0x1b8dd490: id = 0x6, : tdid = {7F620459-6C51-9E46-9A5D-689A9B0D0098}, name = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, add info: <none>, 0x0] 0x4 0x0

KES+KEA (upgrade from KESB to EDR Optimum)

EDR Optimum requires KSC 12.1 or newer to work. This includes the Network Agent, which is a part of KSC, and is generally installed on the host alongside KES.

Using an outdated version of Network Agent (10.5, 11, etc.) will lead to the mentioned error when opening incident cards. If Network Agents were not upgraded along KSC, it's better upgrading them for EDR Optimum.

KES 11.7+

Check that EDR Optimum feature is enabled in registry (GSI > Registry > HKLM_Software_Wow6432Node_KasperskyLab.reg.txt ).

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]

EdrOptimumFeature = 1

If value is 0, run Change application components task on the host, enabling EDR Optimum in KES.

Also in traces (*.SRV.log) you can search for sentence bundles::InstalledFeaturesProvider::InstalledFeaturesProvider and check that EDROptimumFeature is there, for instance in example below such component is missing

 KES.21.9.6.465_05.18_14.00_3952.SRV.log
 
11:00:36.897    0x26a0  INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature)  28 (AdaptiveAnomaliesControlFeature)  0 (AdminKitConnectorFeature)  24 (AdvancedThreatProtectionFeature)  27 (AmsiFeature)  7 (ApplicationControlFeature)  17 (BehaviorDetectionFeature)  30 (CloudControlFeature)  4 (CriticalScanTask)  6 (DeviceControlFeature)  23 (EssentialThreatProtectionFeature)  11 (ExploitPreventionFeature)  8 (FileThreatProtectionFeature)  19 (FirewallFeature)  5 (FullScanTask)  2 (HostIntrusionPreventionFeature)  16 (MailThreatProtectionFeature)  14 (NetworkThreatProtectionFeature)  12 (RemediationEngineFeature)  25 (SecurityControlsFeature)  18 (UpdaterTask)  21 (WebControlFeature)  20 (WebThreatProtectionFeature)  22 (WholeProductFeature) }

KSWS+KEA

The same rule applies: KEA component needs to be installed in KSWS. KSWS does not have a "Change application components" task in KSC, so this has to be taken into account during KSWS deployment.

Here is a quick way to determine if KEA was installed as a component of KSWS. Open regedit, then navigate to:

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\\WSEE\11.0\Install]

"Features"="AntiCryptorNAS=0;AntiCryptor=0;AntiExploit=0;AppCtrl=0;AVProtection=0;DevCtrl=0;Fim=0;Firewall=0;ICAPProt=0;IDS=0;Ksn=0;LogInspector=0;Oas=0;Ods=0;RamDisk=0;RPCProt=0;ScriptChecker=0;Soyuz=0;WebGW=0"
(Soyuz needs to be set to 1)

If Soyuz is set to 0, apply workaround to enable it. KSWS allows to change its components locally or via cli.

Here is the example of how to set Soyuz=1 when KEA was installed not as a component of KSWS:

1. Locate ks4ws_x64.msi or ks4ws.msi (depends on OS architecture)

image.png.ed72dcb0eb15dc6626054c6f750741b2.png

2. Create custom installation package based on ks4ws_x64.msi or ks4ws.msi from p.1 with parameters as per screenshot (add UNLOCK_PASSWORD= if KSWS is protected by password in policy)

image.thumb.png.0c19022e4e7ce2fa964560653ae4932c.png

3. Deploy package on problematic servers with KSWS and KEA, then check registry that Soyuz=1

image.thumb.png.a50f6bb82ec330f1f968f2a14f51ec19.png

4. Check host's properties at KSC side - EDRO should be in Running state in KEA

image.thumb.png.d5580e4a72d9ef7e3457cc8af4581729.png

If KSWS/KEA integration is configured correctly, we can find the following in KSWS traces:

19:57:04.577 7a8 1310 info [edr] Published ThreadDetected:
VerdictName : HEUR:Win32.Generic.Suspicious.Access
RecordId : 0
DatabaseTime : 18446744073709551615
ThreatId : {ffb58079-6d8d-4a62-8ab0-021ff4ed61c5}
IsSilent : false
Technology : 3489661023
ProcessingMode : 3489660948
ObjectType : 3489660934
ObjectName : C:\Windows\System32\wbem\WmiPrvSE.exe
Md5 : e1bce838cd2695999ab34215bf94b501
Sha256 : 1d7b11c9deddad4f77e5b7f01dddda04f3747e512e0aa23d39e4226854d26ca2
UniquepProcessId: 0xf7c807730e051a0d
NativePid : 3360
CommandLine :
AmsiScanType :
AmsiScanBlob :
FileCreationTime: 1601-01-06T23:09:56.075520800Z

Searching for ThreatID in KEA traces:

19:57:05.583 704 9b0 debug [bl] ThreatsHandler: detect v2
verdictName: HEUR:Win32.Generic.Suspicious.Access
detectTechnology: 0xd000005f
processingMode: 0xd0000014
objectType: 0xd0000006
objectName: C:\Windows\System32\wbem\WmiPrvSE.exe
nativePid: 3360
uniquePid: 17854528913448180237
nativePidTelemetry: 3360
uniquePidTelemetry: 17854528913448180237
downloaderUniqueFileId: <none>
downloadUrl: <none>
isSilentDetect: false
threatId: ffb58079-6d8d-4a62-8ab0-021ff4ed61c5
19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59675, processed=59675, dropped=0, queueBytes=191
19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59676, processed=59676, dropped=0, queueBytes=132
19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59677, processed=59677, dropped=0, queueBytes=371
19:57:05.583 704 9b0 debug [bl] Threats Handler: event processed, id = 2
19:57:05.584 704 1fc debug [killchain] Message discarded: name = ThreatDetect

The verdict is Message discarded, this means the detection won't trigger killchain generation. 

No such entries can be found in traces, which might mean that EPP integration is not configured correctly (EDR component is disabled in KSWS).

Check killchain presence on the host

If all pre-requisites are met, it's worth checking if killchain files are actually created on the host. To check that, run cmd.exe as Administrator and check the c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects folder contents. Archives with <threat_id>.zip names should be present in the folder:

C:\WINDOWS\system32>dir "c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects"
Volume in drive C has no label.
Volume Serial Number is 8010-ADC0
 
Directory of c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects
 
08/16/2021 12:20 PM <DIR> .
08/16/2021 12:20 PM <DIR> ..
08/16/2021 09:34 AM 636 0349c190-4ac3-4da4-9b64-07835298660f.zip //this is an archive with killchain info
08/16/2021 12:18 PM 696 1d306aa7-f37f-4ab2-969e-d337d398a995.zip
08/16/2021 09:34 AM 637 23a5dc93-5776-43c8-b949-79c102aa1184.zip
08/16/2021 12:19 PM 691 27bc9ea3-200b-49d2-b8b0-df7954cd428a.zip
08/16/2021 12:19 PM 683 40673c70-9e8e-420f-b5ce-65b406862b94.zip
08/16/2021 12:19 PM 688 590b6e30-4509-4b25-bdb0-062f89b7e062.zip
08/16/2021 12:20 PM 693 67993612-dc82-45a2-9e5b-74756adc46eb.zip
08/16/2021 12:20 PM 685 6a892bd1-f452-42d0-80b0-cb953cd7fc26.zip
08/16/2021 12:19 PM 686 a63fbafa-fcef-46f7-935f-42be4392a172.zip
08/16/2021 12:19 PM 699 d9d4f5eb-42b2-4460-8f8a-eb63bbef8791.zip
08/16/2021 12:19 PM 686 f6042624-9840-4a6e-9b30-9270cce22236.zip
11 File(s) 7,480 bytes
2 Dir(s) 240,763,092,992 bytes free

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...