000036625 - Firewall/Antivirus columns in UI do not update and Firewall_Disabled.sql/Antivirus_Disabled.sql IIOC does not trigger in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Aug 24, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036625
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.3.x, 4.4.x
Platform: Windows
IssueThere are two issues covered here:
  1. The Antivirus column and Firewall columns do not update in the UI.
    • User-added image
  2. The Firewall_Disabled.sql IIOC will never trigger due to the agent not sending any updates on the status of the firewall as a consequence of the first issue.
    • User-added image
CauseThis is due to the regkeys being queried being outdated and only applying to Windows XP and optionally to Vista. Since Security Center in Microsoft is spottily enforced, verifying firewall and antivirus functionality is inconsistent across operating systems and security vendors in the registry.
ResolutionCurrently there is no resolution to this issue in 4.4 and 4.3; the feature, while technically a defect, is not being modified or fixed until 11.3 at the earliest. Some valid registry keys of note for reference only:
 
*\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY*
\SERVICES\MPSSVC*
*\SOFTWARE\MICROSOFT\SECURITY CENTER*

 
WorkaroundThere is no workaround other than to ignore this feature until it is remediated in the future, possible 11.3

Attachments

    Outcomes