Elastic Endpoint Crashes and digital signature error

Global_Helpdesk · January 24, 2023, 8:10pm

Hello,

I am seeing a problem with the Elastic Endpoint service on a couple of windows servers. When trying to start the service we get the error:

The Elastic Endpoint service failed to start due to the following error: 
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

There is no corruption on the server and the file is 100% valid. This started happening after a reboot. The Elastic Agent runs fine. When I try to run the process manually I get the following crash details:

Faulting application name: elastic-endpoint.exe, version: 8.4.2.0, time stamp: 0x63212a86
Faulting module name: ntdll.dll, version: 10.0.17763.3887, time stamp: 0x494079d6
Exception code: 0xc0000005
Fault offset: 0x0000000000015fff
Faulting process id: 0x944
Faulting application start time: 0x01d9302b6b7af2ba
Faulting application path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 41e35abc-1d67-4473-9189-2a62864737e4
Faulting package full name: 
Faulting package-relative application ID:

There are no crash dumps in C:\Program Files\Elastic\Endpoint\cache\CrashDumps

Is this a known issue?

NickFritts · January 25, 2023, 5:38am

Howdy @Global_Helpdesk

What version of Windows Server are you seeing this on? Is it up to date with Windows updates?

You should be able to run elastic-endpoint.exe version as a slightly easier way to test if the binary is able to run.

If it is not, could you please check the event logs on those servers under:
Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational
You can use the version command above to attempt to generate repeat error messages.

One of the more common reasons that you would see that error is if you have another security product that is attempting to load a dll within the elastic-endpoint service. Please ensure that you've added the endpoint process to exception lists for that kind of dll injection or API hooking in other security products.

NickFritts · January 25, 2023, 2:32pm

@Global_Helpdesk I remembered an additional issue that did affect 8.4.2: [BUG] 8.4 and 7.17.5/7.17.6 Windows Endpoints may wind up in a non-running state · Issue #29 · elastic/endpoint (github.com)

The issue was fixed in 8.4.3. What you describe with the issue happening following a reboot makes me suspect this is the cause.