Elastic Endpoint Security Degraded

Hi all,

I'm having an issue with the Endpoint Security integration on my Windows devices.
The agent status is showing up as "Unhealthy" and the status command on the endpoint gives the following result:

Message: (no message)
  * endpoint-security      (DEGRADED)
                           Protecting with policy {9e54f69b-fdcd-466a-8eae-0bbd027cabdc}

Under the menu Security -> Endpoints all the unhealthy agents show up with Failure in the policy status field.
In the details I see the following failures.

Malicious Behavior:
  Download User Artifact:
	Artifact endpoint-trustlist-windows-v1 is unavailable
  Download User Artifact:
	Artifact endpoint-trustlist-windows-v1 is unavailable
  Configure Malware:
    Failed to enable malware detection/prevention
  Load Malware Model:
    User exceptionlist not found; missing or invalid malware artifacts
  Download User Artifact:
	Artifact endpoint-trustlist-windows-v1 is unavailable
  Download User Artifact:
	Artifact endpoint-trustlist-windows-v1 is unavailable
Memory Threat:
  Configure Memory Threat
    User exceptionlist not found
  User Artifact:
	Artifact endpoint-trustlist-windows-v1 is unavailable

Many errors point to an issue with the "endpoint-trustlist-windows-v1" not being available. I tried to solve this problem by applying the fix from this similar issue. Unfortunately this did not work.

What else could I try to fix the issue?

Hi @jobr97 thanks for checking out Endpoint Security.

It might be that your problem is Endpoint is not able to connect to Fleet Server to download those artifacts. To dig into this and see if that's the case can you change the log level for an affected host to Debug (select the affected Agent in Fleet then go to the Logs tab for the Agent overview and you'll see "Agent logging level" at the bottom of the page).

After setting the log level to Debug make some change to the Endpoint policy or even just click save for the Policy so it is reapplied This is to make sure that the log level is set to Debug before the logs we're looking for are generated.

Once that's done, please check Endpoint's logs (c:\Program Files\Elastic\Endpoint\state\log\, also available viewable in Kibana/Elasticsearch) and search for the string "Establishing GET connection". There will be some unrelated instances of that string but you should also see a URL with the string "endpoint-trustlist-windows-v1" in it like this

Establishing GET connection to [https://REDACTED:443/api/fleet/artifacts/endpoint-trustlist-windows-v1/954ccf50e6f932196b80c98277d4f4d9ac89974ff1a96d4ad641e5d4a0f135f9]

Near that message other logs should give insight into how the HTTPS session was set up and how it failed. If they don't point you to the problem can you just share them here (redacted as appropriate) and I can help check them out.

Hi @ferullo

Thanks for the quick answer. I followed the steps you suggested.

I changed the log level of my agent to "Debug" and then edited the EDR integration.
Suddenly everything seemed to work and all my agents are now healty. It seems strange because during my troubleshooting (before asking the question here) I removed and then recreated the integration multiple times.

I'm glad it's working!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.