000035070 - RSA ECAT Host Re-imaged while in Contained State can't be removed from Database

Document created by RSA Customer Support Employee on May 9, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035070
Applies ToRSA Product Set: ECAT, NetWitness Endpoint
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.3.0.x
Platform: Windows
IssueContainment allows the administrator inside ECAT UI to isolate specific systems that are noted for being infected. If the infected system has its agent uninstalled or the whole system is re-imaged without first disabling containment, the system cannot be removed from the UI.
CauseThe cause is based on two changes to the NWE agents status.
The first is the option to remove the machine (Remove Selection from the Database) is intentionally disabled in the UI to prevent deleting isolated machines.
This is combined with the second condition which prevents containment from stopping when selecting to stop it in the UI; since the agent must check in to stop containment in the UI, a machine no longer present will never check back, leaving the machine unable to be removed or be changed in the UI.
ResolutionThe resolution to this issue is to disable the containment factor in the database using a SQL statement:
1. Obtain the Agent ID of the agent in the UI.  See in the NWE UI, Machines, Properties of the affect machine, Agent ID.
2. Then run the below SQL statement in SQL Server Management Studio against the the ECAT$PRIMARY database:
SELECT * FROM Machines WHERE AgentID = 'insert_agent_id_here'
Replace insert_agent_id_here with the Agent ID obtained earlier.

3. Take note of the number in the PK_Machines column. This matches the number in the FK_Machines column in the associated table.
4. Take the number acquired in step 3 and apply it in place of X in the below statement to remove containment (note we are assuming the name of the database is ECAT$PRIMARY, if not change the first line to the name of the appropriate database):

UPDATE MachineOnlineState
SET ContainmentStatus = 0
WHERE FK_Machines = X


5. You can now in the NWE UI remove the machine that was re-imaged, or had its agent uninstalled after hitting refresh (F5) it should show the machine is no longer showing containment as its status.