000035179 - AntiVirus Disabled Field and AntiVirus Deleted from the UI in RSA ECAT

Document created by RSA Customer Support Employee on Jun 6, 2017Last modified by RSA Customer Support Employee on Jun 6, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035179
Applies ToRSA Product Set: ECAT
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.3.0.1, 4.2.0.4, 4.3.0.3
Product Name: RSA NetWitness Endpoint
 
IssueUnder the Machines tab, the Antivirus Disabled field is not clear which settings actually trigger this checkbox to function properly:
Sample list of machines with AntiVirus Disabled checkbox shown

When drilling down into individual machines, the More Info tab will see a list of antivirus and antispyware products but when the products are set to disabled they suddenly get deleted entirely from the list of product items instead of having their status updated with the latest scan data:
Image of the More Info tab when Windows Defender is disabled and AV has been disabled showing missing entries
Image when AV is enabled with On Access scanning
CauseThere are two primary causes. The issue with the AntiVirus Disabled field is caused by:
1. In older versions of Windows Desktop editions, the below registry field was used:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center, AntiVirusOverride (DWORD, 1 or 0)

 

This works in Windows XP, and can be made to work in Vista. It is unuseable in other Windows editions.


2. This was later changed to the below value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
This does not trigger at all, likely due to being deprecated and removed entirely in the most recent editions of Windows
 

It appears that in later versions of Windows the Windows Security Center notifications were deprecated and disabling notifications for antivirus updates does not update this registry key going forward, hence disabling notifications related to the antivirus state does not trigger in Netwitness Endpoint. The new registry value in point 2 above does not actually update; it is deprecated.
NOTE: This notification does not work at all in Server editions of Windows like 2008 R2 due to not having ServiceCenter installed in server editions inside the WMI framework.


The second primary cause of issues has to do with reporting inside NWE of the presence of AntiVirus installed inside the More Info tab under individual machines:

  1. When disabling an antivirus but not uninstalling it, the antivirus vanishes altogether. This is due to how the code handles the hex code reported in WMI as all 0000 meaning it treats it as just 0 and determines it needs to remove the entries entirely. This happens following a scan that includes security products and is done with a delete record under the scanx file category 29. When it gets re-enabled, the hex code value becomes 1000 meaning it actually has a value other than 0 so it updates all 3 fields and re-adds the product into the UI where it can be seen once again. A sample delete record can be seen here:
RowType    RowSipHash    Type    Instance    IsEnabled    IsUpdated    IsAccessScanEnabled    DisplayName    CompanyName    VersionNumber    
D    -7995259918144610903                                                
D    -6905474762708542615                                                
 
Resolution
Windows Security Center

The Windows Security Center sends notifications if features like the AntiVirus software is disabled. In Windows XP, when disabling notifications it updated a relevant registry entry which ECAT used for confirming if malware had disabled notifications. Following Vista, this value is no longer used, and the replacement registry key appears to have been deprecated, so the feature does not work on other versions of Windows. A fix is being developed for 4.3.0.4 currently.
 
AntiVirus Reporting in More Info tab
 

The antivirus list as seen under Machines>{specific_machine_name}>More Info>Security Products will only list antivirus products that are not currently disabled(i.e. have scanning enabled). They will auto-delete following a scan if they are disabled. This is also targeted for a fix in 4.3.0.4
NOTE: Since this feature always relied on SecurityCenter in Windows WMI antivirus products in Windows Server editions were never listed since it requires reporting in Windows to determine the state of the antivirus fields and server editions do not have SecurityCenter installed.
WorkaroundCurrently there is no workaround for this issue, it will be fixed in future release.

Attachments

    Outcomes