I'm having an issue with the Endpoint Security integration on my Windows devices.
The agent status is showing up as "Unhealthy" and the status command on the endpoint gives the following result:
Status: DEGRADED
Message: (no message)
Applications:
* endpoint-security (DEGRADED)
Protecting with policy {9e54f69b-fdcd-466a-8eae-0bbd027cabdc}
Under the menu Security -> Endpoints all the unhealthy agents show up with Failure in the policy status field.
In the details I see the following failures.
Malicious Behavior:
Download User Artifact:
Artifact endpoint-trustlist-windows-v1 is unavailable
Malware:
Download User Artifact:
Artifact endpoint-trustlist-windows-v1 is unavailable
Configure Malware:
Failed to enable malware detection/prevention
Load Malware Model:
User exceptionlist not found; missing or invalid malware artifacts
Events:
Download User Artifact:
Artifact endpoint-trustlist-windows-v1 is unavailable
Ransomware:
Download User Artifact:
Artifact endpoint-trustlist-windows-v1 is unavailable
Memory Threat:
Configure Memory Threat
User exceptionlist not found
User Artifact:
Artifact endpoint-trustlist-windows-v1 is unavailable
Many errors point to an issue with the "endpoint-trustlist-windows-v1" not being available. I tried to solve this problem by applying the fix from this similar issue. Unfortunately this did not work.
Hi @jobr97 thanks for checking out Endpoint Security.
It might be that your problem is Endpoint is not able to connect to Fleet Server to download those artifacts. To dig into this and see if that's the case can you change the log level for an affected host to Debug (select the affected Agent in Fleet then go to the Logs tab for the Agent overview and you'll see "Agent logging level" at the bottom of the page).
After setting the log level to Debug make some change to the Endpoint policy or even just click save for the Policy so it is reapplied This is to make sure that the log level is set to Debug before the logs we're looking for are generated.
Once that's done, please check Endpoint's logs (c:\Program Files\Elastic\Endpoint\state\log\, also available viewable in Kibana/Elasticsearch) and search for the string "Establishing GET connection". There will be some unrelated instances of that string but you should also see a URL with the string "endpoint-trustlist-windows-v1" in it like this
Establishing GET connection to [https://REDACTED:443/api/fleet/artifacts/endpoint-trustlist-windows-v1/954ccf50e6f932196b80c98277d4f4d9ac89974ff1a96d4ad641e5d4a0f135f9]
Near that message other logs should give insight into how the HTTPS session was set up and how it failed. If they don't point you to the problem can you just share them here (redacted as appropriate) and I can help check them out.
Thanks for the quick answer. I followed the steps you suggested.
I changed the log level of my agent to "Debug" and then edited the EDR integration.
Suddenly everything seemed to work and all my agents are now healty. It seems strange because during my troubleshooting (before asking the question here) I removed and then recreated the integration multiple times.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.