|Applies To||RSA Product Set: Netwitness Endpoint|
RSA Product/Service Type: Netwitness Endpoint, ECAT
RSA Version/Condition: 4.1.2.x, 4.2.x, 4.3.x 4.4.x
|Issue||How to manually synchronize RSA NW Endpoint 4.x when the RSA NW Endpoint Server has no Internet access?|
How has ConsoleServerSync changed in NW Endpoint 4.1.2.x
NW Endpoint 18.104.22.168 introduced a new File Reputation Service which when enabled can download the hash status for known modules, via the configured RSA Live account by connecting to cms.netwitness.com. The "Hash Lookup" column of Modules is updated from the results of the hash lookup. The ECAT Server requires Internet access for this new service to run normally.
When the NW Endpoint Server doesn't have Internet access the ConsoleServerSync.exe program has been modified to allow manual hash lookup of modules from another Internet-connected PC.
This tool can be used for systems that have limited access to the Internet.
(example, proxy/firewall only allows connection to RSA site)
If that is the case, the Console Server will not be able to validate any certificate CA.
This will be manifest in the modules panel with error akin to "Root Certificate not trusted" for all modules.
Please note that any reference to NW Endpoint is also referred to ECAT as well. This was the result of the product name change starting with version 4.2.x. As far as this article is concerned they are both one in the same and term used interchangeably.
|Tasks||Manually using the ConsoleServerSync.exe program is a three (3) step process.|
For RSA ECAT 4.1.[0|1].x instead see the alternate RSA Knowledgebase article on how to run the original ConsoleServerSync.exe program - How to synchronize RSA ECAT 4.1.x when the RSA ECAT Server has no internet access
Step 1 Create the sync_out.xml file.
No internet access is required for this step.
On the ECAT Server the ConsoleServerSync.exe program is in the ECAT Server directory (default C:\ECAT\Server directory).
Run the ConsoleServerSync.exe program from a command prompt.
The first time the ConsoleServerSync.exe program is run it will create the configuration file, ConsoleServerSync.exe.config which contains details about the ECAT Server SQL database. After the configuration file is created these details will be used on subsequent runs of the ConsoleServerSync.exe program.
Sample Screen Output:
Enter the Database Server Name?
Enter the Database Instance Name?
Enter the Database Name?
Use SQL Security? (Yes/No)
Enter the SQL Security User Name?
Enter the SQL Security Password?
Connecting to database...
ECATserverHostName is any of the ECAT Server, Hostname, FQDN, or IP address. It needs to correctly resolve to the IP address of the ECAT Server SQL Server database machine.
Database Instance Name is normally blank.
Database Name is ECAT$PRIMARY by default.
When using SQL Security to access the SQL Server database, enter the correct SQL Server username and password.
Choosing a download action.
This creates the file sync_out.xml, in the current directory containing lines like,
The above is a minimum output example, choosing all actions will result in more lines, but with the same basic file structure.
Step 2 Download data from the Internet
Copy from the ECAT Server the following files to a PC which has Internet access.
The ECAT Server files: ConsoleServerSync.exe, ConsoleServerSync.exe.config, sync_out.xml (default directory location C:\ECAT\Server).
Note: In order to run the ConsoleServerSync.exe on the PC, Microsoft .NET 4.5 Full framework must be installed. It can be downloaded from the Microsoft website: Microsoft .NET Framework 4.5
From a command prompt, change to the directory which has the ConsoleServerSync.exe program, and run the command,
After entering ECAT Server SQL Server database password, the output will depend on what actions were select to be downloaded.
Sample Screen Output:
Reading sync_out.xml ...
Unsupported kernel count = 0
Downloading kernel data from RSA Live...
Enter RSA LIVE server name [cms.netwitness.com] :
Enter RSA LIVE server Port  :
Enter RSA LIVE username :
Enter RSA LIVE password:
Submitted 4 hashes out of 4 to reputation service.
This creates the file reputation.json in the current directory.
Step 3 Import downloaded files into the ECAT Server SQL Server database
The import can be done from the PC with Internet access, but network access to the SQL Server database must be reliable during the import.
Or the downloaded files can be copied to the ECAT Server directory where the ConsoleServerSync.exe program (default directory location C:\ECAT\Server)
From a command prompt, change to the directory for the ConsoleServerSync.exe program, and run the command,
After entering ECAT Server SQL Server database password, the output will depend on what files exist in the current directory.
|Notes||Running the ConsoleServerSync.exe program without any parameters from a command prompt will show the usage guide. You can use Control-C to exit the program without any action.|
Enterprise Compromise Assessment Tool Console
Copyright c 2016 EMC Corporation All Rights Reserved.
This tool is meant to be used to allow the synchronization of trusted certificate roots, certificate revocation lists (CRLs), RSA Live feeds, kernel data and reputation with the Internet when the ECAT server is used in an isolated environment. It must be used in three phases: