|Applies To||RSA Product Set: ECAT, NetWitness Endpoint|
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.3.0.x
|Issue||Containment allows the administrator inside ECAT UI to isolate specific systems that are noted for being infected. If the infected system has its agent uninstalled or the whole system is re-imaged without first disabling containment, the system cannot be removed from the UI.|
|Cause||The cause is based on two changes to the NWE agents status.|
The first is the option to remove the machine (Remove Selection from the Database) is intentionally disabled in the UI to prevent deleting isolated machines.
This is combined with the second condition which prevents containment from stopping when selecting to stop it in the UI; since the agent must check in to stop containment in the UI, a machine no longer present will never check back, leaving the machine unable to be removed or be changed in the UI.
|Resolution||The resolution to this issue is to disable the containment factor in the database using a SQL statement:|
1. Obtain the Agent ID of the agent in the UI. See in the NWE UI, Machines, Properties of the affect machine, Agent ID.
2. Then run the below SQL statement in SQL Server Management Studio against the the ECAT$PRIMARY database:
SELECT * FROM Machines WHERE AgentID = 'insert_agent_id_here'
Replace insert_agent_id_here with the Agent ID obtained earlier.
3. Take note of the number in the PK_Machines column. This matches the number in the FK_Machines column in the associated table.
4. Take the number acquired in step 3 and apply it in place of X in the below statement to remove containment (note we are assuming the name of the database is ECAT$PRIMARY, if not change the first line to the name of the appropriate database):
SET ContainmentStatus = 0
WHERE FK_Machines = X
5. You can now in the NWE UI remove the machine that was re-imaged, or had its agent uninstalled after hitting refresh (F5) it should show the machine is no longer showing containment as its status.