000035226 - Known Break Fix Issues and Workarounds in RSA NetWitness Endpoint 4.3.0.4

Document created by RSA Customer Support Employee on Jun 6, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035226
Applies To
 RSA Product Set: Netwitness Endpoint (formerly ECAT)
   RSA Product/Service Type: Netwitness Endpoint (formerly ECAT)
   RSA Version/Condition: 4.1.2,4.3.0.2,4.3.0.3,4.3.0.4
   Platform: Windows
IssueThere are several known issues in 4.3.0.3 that have known workarounds related to their resolution. These issues are listed below:
  1. Column filters are not working in the Machines and Modules views for non-enumerated types. This applies to releases 4.3.0.2,4.3.0.3, and 4.3.0.4
  2. The advanced filter editing tool is not working properly in the Machines view for releases 4.3.0.2, 4.3.0.3, and 4.3.0.4
  3. If a NetWitness Endpoint 4.3.0.x user has subscribed to all RSA Live feeds, when that user upgrades to version 4.3.0.4, all the subscribed feeds get cleared.
  4. RSA NetWitness Endpoint 4.1.2.0 may fail to download the KernelData.csv file from the liveecat.rsa.com site, even though the ECAT Server is able to access the internet. The reason for this is that RSA NetWitness Endpoint 4.1.2.0 uses .NET 4.5, which by default does not support TLS 1.1+. (Beginning with release 4.2.0.0, RSA NetWitness Endpoint uses .NET 4.6, which does support TLS 1.1.+.) More information may be found here: https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/
  5. If you decommission a server with an agent under containment, the agent will be moved to the Primary server. However, after this point, the agent will be self-contained, because it does not have the Primary server IP in the exclusion list.
  6. Mac IIOC alertable values set to False after upgrading ConsoleServer from pre-4.3 to 4.3.0.0.
  7. Updating of agents while in Roaming Agents Relay (RAR) mode is not supported.
  8. The Delete from Quarantine function was not working correctly and was removed from the RSA NetWitness Endpoint UI.
Cause
List of Known Causes

  1. There is a limitation from DevExpress side that, the columns filters are not supported for the custom objects in this async grid type
  2. There is a limitation from DevExpress side that, the columns filters are not supported for the custom objects in this async grid type
  3. Cause is still unknown
  4. .NET 4.5 does not support TLS 1.1+ by default
  5. When an agent is contained and decomissioned without removing containment, the containing status remains on the agent
  6. During upgrade, IIOC's for MAC are reset except the default 3 values that are set to True each upgrade
  7. This has to do with the way the database and UI handle upgrade requests on the RAR server, incorrect behavior such as version updates without the agent updating actually occur.
  8. No workaround exists at this time
ResolutionBelow are a list of steps for resolving the 8 Known Issues:
  1. Column filters are not working in the Machines and Modules views for non-enumerated types. This applies to releases 4.3.0.2,4.3.0.3, and 4.3.0.4
    1. If a search returns an empty table, then that column is affected. It is possible to combine column filters with a box search (Ctrl + F) to model the desired search.
  2. The advanced filter editing tool is not working properly in the Machines view for releases 4.3.0.2, 4.3.0.3, and 4.3.0.4
    1. Use column filters in combination with the box search (Ctrl + F) instead.
  3. If a NetWitness Endpoint 4.3.0.x user has subscribed to all RSA Live feeds, when that user upgrades to version 4.3.0.4, all the subscribed feeds get cleared.
    1. After upgrading the NetWitness Endpoint ConsoleServer to version 4.3.0.4, in the NetWitness Endpoint UI, navigate to Configure > External Components Configuration. On the External Components Configuration dialog, select to edit the RSA Live configuration. On the RSA Live dialog, click Select All and then click Save.
  4. RSA NetWitness Endpoint 4.1.2.0 may fail to download the KernelData.csv file from the liveecat.rsa.com site, even though the ECAT Server is able to access the internet. The reason for this is that RSA NetWitness Endpoint 4.1.2.0 uses .NET 4.5, which by default does not support TLS 1.1+. (Beginning with release 4.2.0.0, RSA NetWitness Endpoint uses .NET 4.6, which does support TLS 1.1.+.) More information may be found here: https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/
    1. You can enable TLS 1.1+ in .NET 4.5 via registry key by setting the SchUseStrongCrypto value as described here: https://technet.microsoft.com/en-us/library/mt791311(v=office.16).aspx
  5. If you decommission a secondary server with an agent under containment, the agent will be moved to the Primary server. However, after this point, the agent will be self-contained, because it does not have the Primary server IP in the exclusion list.
    1. You must manually reinstall a new agent on the machine.
  6. Mac IIOC alertable values set to False after upgrading ConsoleServer from pre-4.3 to 4.3.0.0.
    1. Manually change Mac IIOC alertable values in the InstantIIOC's tab to True after updating to 4.3.0.0.
  7. Updating of agents while in Roaming Agents Relay (RAR) mode is not supported.
    1. Update agent only when agent is communicating directly to the ConsoleServer.
  8. The Delete from Quarantine function was not working correctly and was removed from the RSA NetWitness Endpoint UI.
    1. Do not use any quarantine features
NotesSee the RSA Netwitness Endpoint 4.3.0.4 Release Notes for additional details.

Attachments

    Outcomes