This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Known Break Fix Issues and Workarounds in RSA NetWitness Endpoint 4.3.0.4

Article Number

000001550

Applies To

 RSA Product Set: Netwitness Endpoint (formerly ECAT)
RSA Product/Service Type: Netwitness Endpoint (formerly ECAT)
RSA Version/Condition: 4.1.2,4.3.0.2,4.3.0.3,4.3.0.4
Platform: Windows

Issue

There are several known issues in 4.3.0.3 that have known workarounds related to their resolution. These issues are listed below:
  1. Column filters are not working in the Machines and Modules views for non-enumerated types. This applies to releases 4.3.0.2,4.3.0.3, and 4.3.0.4
  2. The advanced filter editing tool is not working properly in the Machines view for releases 4.3.0.2, 4.3.0.3, and 4.3.0.4
  3. If a NetWitness Endpoint 4.3.0.x user has subscribed to all RSA Live feeds, when that user upgrades to version 4.3.0.4, all the subscribed feeds get cleared.
  4. RSA NetWitness Endpoint 4.1.2.0 may fail to download the KernelData.csv file from the liveecat.rsa.com site, even though the ECAT Server is able to access the internet. The reason for this is that RSA NetWitness Endpoint 4.1.2.0 uses .NET 4.5, which by default does not support TLS 1.1+. (Beginning with release 4.2.0.0, RSA NetWitness Endpoint uses .NET 4.6, which does support TLS 1.1.+.) More information may be found here: https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/
  5. If you decommission a server with an agent under containment, the agent will be moved to the Primary server. However, after this point, the agent will be self-contained, because it does not have the Primary server IP in the exclusion list.
  6. Mac IIOC alertable values set to False after upgrading ConsoleServer from pre-4.3 to 4.3.0.0.
  7. Updating of agents while in Roaming Agents Relay (RAR) mode is not supported.
  8. The Delete from Quarantine function was not working correctly and was removed from the RSA NetWitness Endpoint UI.

Cause

List of Known Causes
  1. There is a limitation from DevExpress side that, the columns filters are not supported for the custom objects in this async grid type
  2. There is a limitation from DevExpress side that, the columns filters are not supported for the custom objects in this async grid type
  3. Cause is still unknown
  4. .NET 4.5 does not support TLS 1.1+ by default
  5. When an agent is contained and decomissioned without removing containment, the containing status remains on the agent
  6. During upgrade, IIOC's for MAC are reset except the default 3 values that are set to True each upgrade
  7. This has to do with the way the database and UI handle upgrade requests on the RAR server, incorrect behavior such as version updates without the agent updating actually occur.
  8. No workaround exists at this time

Resolution

Below are a list of steps for resolving the 8 Known Issues:
  1. Column filters are not working in the Machines and Modules views for non-enumerated types. This applies to releases 4.3.0.2,4.3.0.3, and 4.3.0.4
    1. If a search returns an empty table, then that column is affected. It is possible to combine column filters with a box search (Ctrl + F) to model the desired search.
  2. The advanced filter editing tool is not working properly in the Machines view for releases 4.3.0.2, 4.3.0.3, and 4.3.0.4
    1. Use column filters in combination with the box search (Ctrl + F) instead.
  3. If a NetWitness Endpoint 4.3.0.x user has subscribed to all RSA Live feeds, when that user upgrades to version 4.3.0.4, all the subscribed feeds get cleared.
    1. After upgrading the NetWitness Endpoint ConsoleServer to version 4.3.0.4, in the NetWitness Endpoint UI, navigate to Configure > External Components Configuration. On the External Components Configuration dialog, select to edit the RSA Live configuration. On the RSA Live dialog, click Select All and then click Save.
  4. RSA NetWitness Endpoint 4.1.2.0 may fail to download the KernelData.csv file from the liveecat.rsa.com site, even though the ECAT Server is able to access the internet. The reason for this is that RSA NetWitness Endpoint 4.1.2.0 uses .NET 4.5, which by default does not support TLS 1.1+. (Beginning with release 4.2.0.0, RSA NetWitness Endpoint uses .NET 4.6, which does support TLS 1.1.+.) More information may be found here: https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/
    1. You can enable TLS 1.1+ in .NET 4.5 via registry key by setting the SchUseStrongCrypto value as described here: https://technet.microsoft.com/en-us/library/mt791311(v=office.16).aspx
  5. If you decommission a secondary server with an agent under containment, the agent will be moved to the Primary server. However, after this point, the agent will be self-contained, because it does not have the Primary server IP in the exclusion list.
    1. You must manually reinstall a new agent on the machine.
  6. Mac IIOC alertable values set to False after upgrading ConsoleServer from pre-4.3 to 4.3.0.0.
    1. Manually change Mac IIOC alertable values in the InstantIIOC's tab to True after updating to 4.3.0.0.
  7. Updating of agents while in Roaming Agents Relay (RAR) mode is not supported.
    1. Update agent only when agent is communicating directly to the ConsoleServer.
  8. The Delete from Quarantine function was not working correctly and was removed from the RSA NetWitness Endpoint UI.
    1. Do not use any quarantine features

Notes

See the RSA Netwitness Endpoint 4.3.0.4 Release Notes for additional details.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:39 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.