Endpoint Security decraded/ Unhealthy status

I have the same issue as described in this topic:

image997×467 37.6 KB

And in the enpoint logfile:

{"@timestamp":"2022-04-22T09:31:25.117229549Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":384,"name":"Response.cpp"}}},"message":"Response.cpp:384 Policy action load_diagnostic_malware_model: success - Successfully loaded malware model","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.118852828Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":139,"name":"WriteSuppressionCache.cpp"}}},"message":"WriteSuppressionCache.cpp:139 Clearing the write suppression cache","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.140848669Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"warning","origin":{"file":{"line":143,"name":"YaraLib.cpp"}}},"message":"YaraLib.cpp:143 Rules identifier [filescore-diagnostic] already found, removing it","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.148289239Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":384,"name":"Response.cpp"}}},"message":"Response.cpp:384 Policy action load_diagnostic_malware_model: success - Successfully loaded malware model","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.16929234Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"warning","origin":{"file":{"line":143,"name":"YaraLib.cpp"}}},"message":"YaraLib.cpp:143 Rules identifier [filescore-production] already found, removing it","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.176142715Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":384,"name":"Response.cpp"}}},"message":"Response.cpp:384 Policy action load_malware_model: success - Successfully loaded malware model","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.176257034Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":384,"name":"Response.cpp"}}},"message":"Response.cpp:384 Policy action load_diagnostic_malware_model: failure - Disabled due to potential system deadlock","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.176287382Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":384,"name":"Response.cpp"}}},"message":"Response.cpp:384 Policy action load_malware_model: failure - Disabled due to potential system deadlock","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.176324741Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":384,"name":"Response.cpp"}}},"message":"Response.cpp:384 Policy action configure_malware: failure - Failed to enable malware detection/prevention","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.176399437Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":384,"name":"Response.cpp"}}},"message":"Response.cpp:384 Policy action configure_diagnostic_malware: failure - Failed to enable malware detection/prevention","process":{"pid":879,"thread":{"id":40178}}}
{"@timestamp":"2022-04-22T09:31:25.176434429Z","agent":{"id":"3b2a53b3-f192-49eb-adcc-ea5b040d5986","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":1704,"name":"Config.cpp"}}},"message":"Config.cpp:1704 Configuring qa","process":{"pid":879,"thread":{"id":40178}}}

The Policy action load_diagnostic_malware_model and Policy action load_malware_model are multiple times loaded, first with succes and than with a failure

OS Agent: Rocky Linux 8
Elastic version: 7.17.2

I have already re-assigned the policy again, reinstalled the elastic agents, but after some time the agent get the "Unhealthy" status.
This happens with multiple Linux agents. All Rocky Linux.
Logging with debug level gives no more information about this issue.

How can this be fixed?

I see you mentioned Sophos, and its Elastic integration. My surface understanding is that the Sophos Elastic integration is for shipping Sophos logs to Elasticsearch. I wonder if Sophos protections are still enabled despite the integration being removed.

If so, we could attempt disabling Sophos and see if Elastic Endpoint returns to a healthy status after a restart. If it does, that would imply there are protection conflicts between the two products.

The solution in that case would be to add Elastic Endpoint as a trusted application to Sophos and vice-versa.

Hi Nick, thanks for responding.
The sophos integration is enabled in the example ticket with the same malware problem. My situation is similar in that it has exactly the same error messages as in this ticket, but not with an active sophos integration. The active integrations in my policy are: Auditd, OSQuery Manager, System and Endpoint Security. Malware protection is enabled in Endpoint Security, with Protection Level set to Prevent.
Hopefully this helps. Thanks

Ah, my misunderstanding.

If you are willing, I can provide a link in a private message to upload endpoint logs.

That would be nice

I have send the first logfile with this error message to you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.