Elastic Defend Integration 8.18.1 not detecting/preventing at all?

I just noticed that for some reason one of my policies was not detecting or preventing anything. I reinstalled the agent which applied the default endpoint initial policy which still had the 8.17.0 elastic defend integration version and it was blocking/prevent properly.

Once i updated the integration to 8.18.1 it suddenly stopped detecting anything.

Is there an issue with it?

All my policies are now at 8.18.1 integration version of elastic defend... this would mean my entire windows fleet is now unprotected...

i switched the endpoint-inital policy elastic defend to prevent instead of detect was around 2:05am

i received alerts on windows on 8.17

after the above i updated the integration to 8.18.1 from 8.17 and it stopped detecting

i tested by extracting known malware, yet the files remain on the 8.18.1 integration of elastic defend

everything on the agent side seems to be fine - it shows as healthy and all green when i check

image2061×874 89.3 KB

as of 3am , no detections or anything , while the test malware was “dropped” around 2:27

i’ve started a thread on github about this on the SecurityOnion repo as I use SO2

So i reinstalled the Agent on the machine, and it seems to be reacting again, on elastic defend integration v8.18.1

i also notice this

image1286×124 16.7 KB

is this what i just experienced? I’m somewhat confused on what just happened…

and now as i retest via extracting the same payloads it reacted after the reinstall from my reply above, it doesnt react… absolutely no changes made since my last reply… downloaded eicar test file.. nothing…

on my linux servers it seems to be working fine and reacting without issues, i tested via spamming eicar curl commands

i can see the detections in the dashboard just fine. nothing from windows tho.

image1728×460 108 KB

Hi @boredchilada. Can you please open a support ticket and send them an Agent diagnostics bundle from the problematic installation?