000033476 - How to synchronize RSA ECAT 4.1.2.x when the RSA Netwitness Endpoint Server has no Internet access

Document created by RSA Customer Support Employee on Jul 18, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033476
Applies ToRSA Product Set: Netwitness Endpoint
RSA Product/Service Type: Netwitness Endpoint
RSA Version/Condition: 4.1.2.x
Platform: Windows
IssueHow to manually synchronize RSA ECAT 4.1.2.x when the RSA ECAT Server has no Internet access?
How has ConsoleServerSync changed in ECAT 4.1.2.x?
ECAT 4.1.2.0 introduced a new File Reputation Service which when enabled can download the hash status for known modules, via the configured RSA Live account by connecting to cms.netwitness.com.  The "Hash Lookup" column of Modules is updated from the results of the hash lookup.  The ECAT Server requires Internet access for this new service to run normally.
When the ECAT Server doesn't have Internet access the ConsoleServerSync.exe program has been modified to allow manual hash lookup of modules from another Internet connected PC.
 
TasksManually using the ConsoleServerSync.exe program is a three (3) step process.
1. Create the sync_out.xml file, with the choice of "download actions" to perform.
2. Download data from an Internet connected PC.
3. Import the downloaded data into the ECAT Server SQL Server database.
Available "download actions"
a. Trusted Root certificates, and Certificate Revocation Lists (CRLs) for ECAT Server discovered modules.
b. RSA Live feeds for any updates to RSA Security Analytics (SA) Live Feeds been subscribed to (A RSA Live login is required).
c. Kernel Data for any update to the list of ECAT Agent recognizable Windows Operating Systems.
d. File Reputation Service, the hash lookup of unknown discovered ECAT Agent Modules.
For RSA ECAT 4.1.[0|1].x instead see the alternate RSA Knowledgebase article on how to run the original ConsoleServerSync.exe program - How to synchronize RSA ECAT 4.1.x when the RSA ECAT Server has no internet access
Resolution

Step 1 Create the sync_out.xml file.


No internet access is required for this step.
On the ECAT Server the ConsoleServerSync.exe program is in the ECAT Server directory (default C:\ECAT\Server directory).
Run the ConsoleServerSync.exe program from a command prompt.
The first time the ConsoleServerSync.exe program is run it will create the configuration file, ConsoleServerSync.exe.config which contains details about the ECAT Server SQL database. After the configuration file is created these details will be used on subsequent runs of the ConsoleServerSync.exe program.
Sample Screen Output:
 
Enter the Database Server Name?
ECATserverHostName
Enter the Database Instance Name?
Enter the Database Name?
ECAT$PRIMARY
Use SQL Security? (Yes/No)
yes
Enter the SQL Security User Name?
sa
Enter the SQL Security Password?
*******
Connecting to database...

Where
ECATserverHostName is any of the ECAT Server, Hostname, FQDN, or IP address.  It needs to correctly resolve to the IP address of the ECAT Server SQL Server database machine.
Database Instance Name is normally blank.
Database Name is ECAT$PRIMARY by default.
When using SQL Security to access the SQL Server database, enter the correct SQL Server username and password.
Choosing a download action.
a. If only the Trusted Root certificates and CRLs, are required then run the command,
ConsoleServerSync.exe 1 crl
b. If only the RSA Live feeds are required then run the command,
ConsoleServerSync.exe 1 live
c. If only the Kernel Data is required then run the command,
ConsoleServerSync.exe 1 kernel
d. If only the File Reputation data is required then run the command,
ConsoleServerSync.exe 1 reputation
Sample Screen Output:

Enter the SQL Security Password?
*******
Connecting to database...
The Reputation Service is currently enabled on the ECAT server. If the server is connected to the Internet, it will automatically check the reputation of every file discovered by ECAT agents in your network and there is no need to use ConsoleServerSync to do so. Do you want to continue? (Yes/No)
yes
No modules requiring reputation check found. Skipping reputation.
Writing file...
DONE!
Press any key to continue...

Note the warning message above, if the File Reputation Service is enabled, see the RSA Live configuration of Monitoring and External Components in the ECAT UI.
Note the warning message above, that there will be no reputation check done if there is no module with an unchecked hash value.
Sample Screen Output when there is a module needing a hash lookup:
 
ConsoleServerSync.exe 1 reputation
Enter the SQL Security Password?
*******
Connecting to database...
ConsoleServerSync is about to check the reputation of 4 modules. The time needed for this operation should not be more than 0 minutes. How many modules do you want to include in this batch?
987
Getting hashes requiring reputation check...
Writing file...
DONE!
Press any key to continue...

Note in the above that an approximate time to do all the hash lookups is given.  There is the requirement to enter the number of hash lookups to do in this run of the ConsoleServerSync.exe program (987 was entered in this example).  Where the ECAT Server normally batches only up to 400 hashes for lookup at a time.
e. To select all actions, run the command,
ConsoleServerSync.exe 1
This creates the file sync_out.xml, in the current directory containing lines like,
 

<?xml version="1.0" encoding="utf-8"?>
<Sync>
    <EcatCertificateSynch />
    <EcatLiveFeedSynch />
    <KernelErrors />
    <Reputation CSID="" URL="" count="0" />
</Sync>


The above is a minimum output example, choosing all actions will result in more lines, but with the same basic file structure.
 

Step 2 Download data from the Internet


Copy from the ECAT Server the following files to a PC which has Internet access.
The ECAT Server files: ConsoleServerSync.exe, ConsoleServerSync.exe.config, sync_out.xml (default directory location C:\ECAT\Server).
Note: In order to run the ConsoleServerSync.exe on the PC, Microsoft .NET 4.5 Full framework must be installed.  It can be downloaded from the Microsoft website : Microsoft .NET Framework 4.5
From a command prompt, change to the directory which has the ConsoleServerSync.exe program, and run the command,
ConsoleServerSync.exe 2
After entering ECAT Server SQL Server database password, the output will depend on what actions were select to be downloaded.
a. Trusted Root certificates and CRLs.
The http sites for Trusted Root certificates, and CRLs will be shown.
The files trusted_roots.dat and revocation_lists.dat are created in the directory where the ConsoleServerSync.exe program is run.
Note: Some third party sites may not allow access, or the module may have an incorrect URL, these errors should be ignored.
This action may take up to hours to complete if you have many discovered modules in your ECAT environment from different software vendors.
b. RSA Live feeds.
Enter a valid RSA Live username and password when required.
Under the directory where the ConsoleServerSync.exe program is run a directory feed is created and the subscribed feed zipfiles are downloaded into this directory.
c. Kernel Data.
This creates the file kernel_data.csv in the current directory, which as of July 2016 was 1.1MB size containing 977 lines of data, where  the first line is a heading line.
d. File Reputation Service Data.
Enter a valid RSA Live username and password when required.
Sample Screen Output:
 
ConsoleServerSync.exe 2
Reading sync_out.xml ...
Unsupported kernel count = 0
Downloading kernel data from RSA Live...
Enter RSA LIVE server name [cms.netwitness.com] :
Enter RSA LIVE server Port [443] :
Enter RSA LIVE username :
username
Enter RSA LIVE password:
**********
Submitted 4 hashes out of 4 to reputation service.
DONE!


This creates the file reputation.json in the current directory.
 

Step 3 Import downloaded files into the ECAT Server SQL Server database


The import can be done from the PC with Internet access, but network access to the SQL Server database must be reliable during the import.
Or the downloaded files can be copied to the ECAT Server directory where the ConsoleServerSync.exe program (default directory location C:\ECAT\Server)
From a command prompt, change to the directory for the ConsoleServerSync.exe program, and run the command,
ConsoleServerSync.exe 3
After entering ECAT Server SQL Server database password, the output will depend on what files exist in the current directory.
a. Files: trusted_roots.dat and revocation_lists.dat
b. Any zipfile under the feed directory.
c. File: kernel_data.csv
Please note: If you are trying to import the kernel data file from the QueueData folder beware the filename is different (KernelData.csv).
Rename the filename KernelData.csv to kernel_data.csv before running the "ConsoleServerSync.exe 3".
This filename discrepancy is resolved in ECAT 4.2.x
d. File: reputation.json
Sample Screen Output:
 
Enter the SQL Security Password?
*******
Connecting to database...
Updated 4 hashes out of 4
DONE!
Press any key to continue...
NotesRunning the ConsoleServerSync.exe program without any parameters from a command prompt will show the usage guide.  You can use Control-C the exit the program without any action.
C:\ECAT\Server\>ConsoleServerSync.exe
Enterprise Compromise Assessment Tool Console
Copyright c 2016 EMC Corporation All Rights Reserved.
-----------------------------------------------------------------------------
This tool is meant to be used to allow the synchronization of trusted certificate roots, certificate revocation lists (CRLs), RSA Live feeds, kernel data and reputation with the Internet when the ECAT server is used in an isolated environment. It must be used in three phases:
1) Export of source data from the database
For this phase, this executable must have network access to the database. A file named "sync_out.xml" will be created.
2) Collection of trusted roots, download of CRLs, RSA Live feeds and kernel data
For this phase, this executable must have access to the Internet. It is also recommended that the machine be up to date with Windows Updates in order to have the latest trusted certificate roots. The file "sync_out.xml" must be present in the same folder. Files named "revocation_lists.dat", "trusted_roots.dat", "kernel_data.csv", "reputation.json" and folder named "feed" may be created.
3) Import of collected data to the database
For this phase, this executable must have network access to the database. The files "revocation_lists.dat", "trusted_roots.dat", "kernel_data.csv", "reputation.json" and folder named "feed", if generated in Phase 2 must be present in the same folder.
To sync CRLs and trusted root certificates only, run each phase as "ConsoleServerSync.exe [phase] crl".
To sync RSA Live only, run each phase as "ConsoleServerSync.exe [phase] live".
To sync kernel data only, run each phase as "ConsoleServerSync.exe [phase] kernel".
To sync reputation data only, run each phase as "ConsoleServerSync.exe [phase] reputation".
For example: "ConsoleServerSync.exe 2 reputation".
Enter the number of the phase to execute:

Attachments

    Outcomes