Unable to run endpoint-security through Elastic Agent

hendry.lim · August 4, 2020, 12:01am

Using the endpoint-security-7.9.0-SNAPSHOT based on commit hash e221c95cd0b0e72d5d153fac57e86feec12db408.

OS: Windows 10 Enterprise
Version: 2004
Build: 19041.388
Kernel: 10.0.19041.388 (WinBuild.160101.0800)

Error in Elastic Agent:

Failed to dispatch action 'action_id: 659a705e-5c8d-4bfc-8399-447b1a6453d2, type: CONFIG_CHANGE', error: operator: failed to execute step sc-run, error: operation 'Exec' failed: : operation 'Exec' failed:

Encountered the following error if running .\endpoint-security.exe verify in PowerShell:

Program 'endpoint-security.exe' failed to run: Windows cannot verify the digital signature for this file. A recent
hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be
malicious software from an unknown sourceAt line:1 char:1
+ .\endpoint-security.exe verify
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\endpoint-security.exe verify
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

NickFritts · August 4, 2020, 1:11pm

Good Morning, thanks for checking out endpoint-security. Currently the endpoint binary is only test signed in the snapshot builds. In order for it to run, test signing will have to be enabled on the machine you're attempting to run it on.

Instructions for how to do so are here (The page is talking about test signed drivers, but it applies to user-mode applications with Code Integrity set as well): https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option

hendry.lim · August 4, 2020, 1:45pm

Thank you @NickFritts. However, I am still receiving the same error even after the testsigning option was enabled.

update: looks like reboot was required. It looks fine after rebooted.

To be able to access the Endpoint UI in SIEM, I believe I will need an Enterprise license? I can see the data in ES, but not the UI in Kibana.

caitlinbetz · August 4, 2020, 2:51pm

@hendry.lim - thanks for trying out Elastic Endpoint Security!

The endpoint security capabilities are available in 7.9 are in the basic licensing tier. You should see these under the Security app (previously, the SIEM app) in the Kibana UI. Can you verify which version of Kibana you are using? (If you’re not using the 7.9.0 snapshot of Kibana, you will not see the Security app in the UI)

hendry.lim · August 4, 2020, 2:58pm

@caitlinbetz, yup, I am running the latest 7.9.0-SNAPSHOT.

I just found out (silly me) that the events have to be endpoint generated events for the button to be enabled.

Will the license be changed to Enterprise in 7.10?
We will need to know this so we will be able to advise our customers accordingly.

I can see that this is a "read only view", so I guess the full version of this will require Enterprise license.

caitlinbetz · August 4, 2020, 4:16pm

I just found out (silly me) that the events have to be endpoint generated events for the button to be enabled.

Which button are you referencing?

Regarding licensing, the capabilities available today will remain in Basic in 7.10. Future releases may have capabilities that will only be available in Gold + tiers.

NickFritts · August 4, 2020, 8:33pm

@hendry.lim I'm glad the test signing option worked out. You had me slightly panicking until I saw your update.

hendry.lim · August 4, 2020, 10:15pm

It's the Analyze event hexagon shape icon on Hosts events tab.

Thank you for sharing the licensing details for Endpoint.

So I guess with that, we can close this thread. Thank you @caitlinbetz and @NickFritts for both your help.

caitlinbetz · August 4, 2020, 10:48pm

Glad we were able to help @hendry.lim

If you're interested/able to provide feedback on your experience, we'd love to know -

What made you want to try Elastic Endpoint?
How did you find the deployment experience?

Thanks!

hendry.lim · August 4, 2020, 11:00pm

This is the first time that the Elastic Endpoint will be released under Basic, so this is my first chance to explore it. We have a Platinum Trial license, but this was only available in Enterprise license, hence the question regarding the licensing.
In fact, I have been exploring and testing out different aspects of 7.9.0-SNAPSHOT releases and reporting issues/bugs that I found to GitHub directly.
In addition, one of our Elastic customers is planning to do pilot deployment of Elastic Agent when 7.9.0 is released, hence it is my responsibility to advise them on the gotchas/limitations on this first beta release.
Deployment was easy with the Elastic Agent, but I have never tried to deploy a standalone endpoint-security agent. However, in this version, there is not much configuration can be done on the endpoint-security agent.

Just a little bit of background info, the company I am working with is an Elastic focus partner in SG. Our partner manager is Anthony Jose.

hendry.lim · August 5, 2020, 3:59am

Looks like I found an issue with the Resolver UI that it does not support CCS yet.

Raised #74330.

tonymeehan · August 7, 2020, 6:50pm

Thank you so much for filing that issue, @hendry.lim!

system · September 4, 2020, 6:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.