Preparing data to display. Please, wait... [EDR Optimum]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

Using EDR, you may encounter an issue where you're unable to view incident card regarding a detection in KSC Web Console. It looks like this:

Here we will discuss known causes of such behavior (several products are involved, so causes may be different).

Possible causes and solutions

MDR

In MDR, incidents are to be viewed using the dedicated MDR Console, and KSC version 13 and newer with configured MDR plug-in. KSC 12.* Web Console will not receive the data; this is expected behavior.

KES+KEA

If you first install KES without EA component, and then a standalone KEA package, KES EDRO integration will be disabled and killchain will not work.

Here is a quick way to determine if KEA was installed as a component of KES. Open regedit, then navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]

"AntiAPTFeature" = "1"

If the value is 0, proceed to the workaround to enable the component as described below.

To fix this, we ran Change application components task on the host, enabling Endpoint Agent in KES. 

If KES/KEA integration is configured correctly, we can find the following in KES traces:

12:08:37.426    0x2a18    INF    edr_etw    Start processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, recordId = 6, taskId = 1128, result = 0 12:08:37.426    0x2a18    INF    edr_etw    Start processing actions = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, action = 4, recordId = 6, taskId = 1128, edrAction = 3489660999, result = 0 12:08:37.442    0x2a18    INF    edr_etw    Killchain is enabled! 12:08:37.442    0x2a18    INF    edr_etw    SystemWatcher is running! 12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect begin 12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect end 12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::InvestigateProcessIds begin 12:08:37.442    0x2a18    INF    edr_etw    product::component::edr::`anonymous-namespace'::InvestigateProcessIds end 12:08:37.442    0x2a18    INF    edr_etw    Finish processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com threat status = 1, recordId = 6, taskId = 1128,result = 0 12:08:37.458    0x1f18    INF    edr_etw    Finish processing AV detect result = 0

Searching for ThreatID in KEA traces:

12:08:37.426    0x2a18    INF    amfcd    ThreatsProcessingEventsLogic::OnTreatActionImpl: ctx:0x23d68510 [TI 0x1b8dd490: id = 0x6, : tdid = {7F620459-6C51-9E46-9A5D-689A9B0D0098}, name = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, add info: <none>, 0x0] 0x4 0x0

KES+KEA (upgrade from KESB to EDR Optimum)

EDR Optimum requires KSC 12.1 or newer to work. This includes the Network Agent, which is a part of KSC, and is generally installed on the host alongside KES.

Using an outdated version of Network Agent (10.5, 11, etc.) will lead to the mentioned error when opening incident cards. If Network Agents were not upgraded along KSC, it's better upgrading them for EDR Optimum.

KES 11.7+

Check that EDR Optimum feature is enabled in registry (GSI > Registry > HKLM_Software_Wow6432Node_KasperskyLab.reg.txt ).

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]

EdrOptimumFeature = 1

If value is 0, run Change application components task on the host, enabling EDR Optimum in KES.

Also in traces (*.SRV.log) you can search for sentence bundles::InstalledFeaturesProvider::InstalledFeaturesProvider and check that EDROptimumFeature is there, for instance in example below such component is missing

 KES.21.9.6.465_05.18_14.00_3952.SRV.log

11:00:36.897    0x26a0  INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature)  28 (AdaptiveAnomaliesControlFeature)  0 (AdminKitConnectorFeature)  24 (AdvancedThreatProtectionFeature)  27 (AmsiFeature)  7 (ApplicationControlFeature)  17 (BehaviorDetectionFeature)  30 (CloudControlFeature)  4 (CriticalScanTask)  6 (DeviceControlFeature)  23 (EssentialThreatProtectionFeature)  11 (ExploitPreventionFeature)  8 (FileThreatProtectionFeature)  19 (FirewallFeature)  5 (FullScanTask)  2 (HostIntrusionPreventionFeature)  16 (MailThreatProtectionFeature)  14 (NetworkThreatProtectionFeature)  12 (RemediationEngineFeature)  25 (SecurityControlsFeature)  18 (UpdaterTask)  21 (WebControlFeature)  20 (WebThreatProtectionFeature)  22 (WholeProductFeature) }

KSWS+KEA

The same rule applies: KEA component needs to be installed in KSWS. KSWS does not have a "Change application components" task in KSC, so this has to be taken into account during KSWS deployment.

Here is a quick way to determine if KEA was installed as a component of KSWS. Open regedit, then navigate to:

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\\WSEE\11.0\Install]

"Features"="AntiCryptorNAS=0;AntiCryptor=0;AntiExploit=0;AppCtrl=0;AVProtection=0;DevCtrl=0;Fim=0;Firewall=0;ICAPProt=0;IDS=0;Ksn=0;LogInspector=0;Oas=0;Ods=0;RamDisk=0;RPCProt=0;ScriptChecker=0;Soyuz=0;WebGW=0"
(Soyuz needs to be set to 1)

If Soyuz is set to 0, apply workaround to enable it. KSWS allows to change its components locally or via cli.

Here is the example of how to set Soyuz=1 when KEA was installed not as a component of KSWS:

1. Locate ks4ws_x64.msi or ks4ws.msi (depends on OS architecture)

2. Create custom installation package based on ks4ws_x64.msi or ks4ws.msi from p.1 with parameters as per screenshot (add UNLOCK_PASSWORD= if KSWS is protected by password in policy)

3. Deploy package on problematic servers with KSWS and KEA, then check registry that Soyuz=1

4. Check host's properties at KSC side - EDRO should be in Running state in KEA

If KSWS/KEA integration is configured correctly, we can find the following in KSWS traces:

19:57:04.577 7a8 1310 info [edr] Published ThreadDetected: VerdictName : HEUR:Win32.Generic.Suspicious.Access RecordId : 0 DatabaseTime : 18446744073709551615 ThreatId : {ffb58079-6d8d-4a62-8ab0-021ff4ed61c5} IsSilent : false Technology : 3489661023 ProcessingMode : 3489660948 ObjectType : 3489660934 ObjectName : C:\Windows\System32\wbem\WmiPrvSE.exe Md5 : e1bce838cd2695999ab34215bf94b501 Sha256 : 1d7b11c9deddad4f77e5b7f01dddda04f3747e512e0aa23d39e4226854d26ca2 UniquepProcessId: 0xf7c807730e051a0d NativePid : 3360 CommandLine : AmsiScanType : AmsiScanBlob : FileCreationTime: 1601-01-06T23:09:56.075520800Z

Searching for ThreatID in KEA traces:

19:57:05.583 704 9b0 debug [bl] ThreatsHandler: detect v2 verdictName: HEUR:Win32.Generic.Suspicious.Access detectTechnology: 0xd000005f processingMode: 0xd0000014 objectType: 0xd0000006 objectName: C:\Windows\System32\wbem\WmiPrvSE.exe nativePid: 3360 uniquePid: 17854528913448180237 nativePidTelemetry: 3360 uniquePidTelemetry: 17854528913448180237 downloaderUniqueFileId: <none> downloadUrl: <none> isSilentDetect: false threatId: ffb58079-6d8d-4a62-8ab0-021ff4ed61c5 19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59675, processed=59675, dropped=0, queueBytes=191 19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59676, processed=59676, dropped=0, queueBytes=132 19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59677, processed=59677, dropped=0, queueBytes=371 19:57:05.583 704 9b0 debug [bl] Threats Handler: event processed, id = 2 19:57:05.584 704 1fc debug [killchain] Message discarded: name = ThreatDetect

The verdict is Message discarded, this means the detection won't trigger killchain generation. 

No such entries can be found in traces, which might mean that EPP integration is not configured correctly (EDR component is disabled in KSWS).

Check killchain presence on the host

If all pre-requisites are met, it's worth checking if killchain files are actually created on the host. To check that, run cmd.exe as Administrator and check the c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects folder contents. Archives with <threat_id>.zip names should be present in the folder:

C:\WINDOWS\system32>dir "c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects" Volume in drive C has no label. Volume Serial Number is 8010-ADC0   Directory of c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects   08/16/2021 12:20 PM <DIR> . 08/16/2021 12:20 PM <DIR> .. 08/16/2021 09:34 AM 636 0349c190-4ac3-4da4-9b64-07835298660f.zip //this is an archive with killchain info 08/16/2021 12:18 PM 696 1d306aa7-f37f-4ab2-969e-d337d398a995.zip 08/16/2021 09:34 AM 637 23a5dc93-5776-43c8-b949-79c102aa1184.zip 08/16/2021 12:19 PM 691 27bc9ea3-200b-49d2-b8b0-df7954cd428a.zip 08/16/2021 12:19 PM 683 40673c70-9e8e-420f-b5ce-65b406862b94.zip 08/16/2021 12:19 PM 688 590b6e30-4509-4b25-bdb0-062f89b7e062.zip 08/16/2021 12:20 PM 693 67993612-dc82-45a2-9e5b-74756adc46eb.zip 08/16/2021 12:20 PM 685 6a892bd1-f452-42d0-80b0-cb953cd7fc26.zip 08/16/2021 12:19 PM 686 a63fbafa-fcef-46f7-935f-42be4392a172.zip 08/16/2021 12:19 PM 699 d9d4f5eb-42b2-4460-8f8a-eb63bbef8791.zip 08/16/2021 12:19 PM 686 f6042624-9840-4a6e-9b30-9270cce22236.zip 11 File(s) 7,480 bytes 2 Dir(s) 240,763,092,992 bytes free