The NetWitness UI, Investigate > Files shows some negative value in the "On Hosts" field.
Image description
It does not make sense to show a file on a negative number of hosts.
There are three possibilities when the Files "On Host" count can decrement.
- When the Endpoint agent migrated across multiple Endpoint servers.
- Files getting deleted on an Endpoint Agent machine.
- Data deletion as part of the data deletion cleanup job.
Wait for the Files entries with a negative "On Host" count to be deleted.
By default, in the NetWitness UI, Admin > Services > Endpoint Server, Config, Data Retention Scheduler is configured to delete data older than 30 days.
The Files entries with a negative "On Host" count will be deleted after data retention days is exceeded.
Reference:
https://community.netwitness.com/t5/netwitness-platform-online/data-retention-scheduler-tab/ta-p/669556
Manually delete the mongodb entries for files with a negative "On Host" count.
Note: This does not stop a negative "On Host" count for files appearing again in the future.
1. ssh login to the Endpoint Server appliance
2. Create a backup of the endpoint-server mongodb collection "file" using this command:
mongodump -u deploy_admin -p <deploy_admin password> --authenticationDatabase=admin --port 27017 --db=endpoint-server --collection file --gzip --out=/root/mongodumpgz
For example:
[root@Endpoint ~]# mongodump -u deploy_admin -p netwitness --authenticationDatabase=admin --port 27017 --db=endpoint-server --collection file --gzip --out=/root/mongodumpgz
2020-11-13T03:58:21.712+0000 writing endpoint-server.file to
2020-11-13T03:58:24.475+0000 [#####...................] endpoint-server.file 9811/44533 (22.0%)
2020-11-13T03:58:27.616+0000 [######..................] endpoint-server.file 11147/44533 (25.0%)
2020-11-13T03:58:30.426+0000 [##############..........] endpoint-server.file 26282/44533 (59.0%)
2020-11-13T03:58:33.439+0000 [###############.........] endpoint-server.file 28403/44533 (63.8%)
2020-11-13T03:58:36.441+0000 [################........] endpoint-server.file 30506/44533 (68.5%)
2020-11-13T03:58:39.472+0000 [#################.......] endpoint-server.file 31838/44533 (71.5%)
2020-11-13T03:58:42.428+0000 [##################......] endpoint-server.file 33461/44533 (75.1%)
2020-11-13T03:58:45.550+0000 [####################....] endpoint-server.file 38941/44533 (87.4%)
2020-11-13T03:58:48.427+0000 [#######################.] endpoint-server.file 43000/44533 (96.6%)
2020-11-13T03:58:49.519+0000 [########################] endpoint-server.file 44533/44533 (100.0%)
2020-11-13T03:58:49.520+0000 done dumping endpoint-server.file (44533 documents)
3. Use the below mongodb commands to remove entries with a negative count on the Endpoint Server.
mongo -u deploy_admin -p <deploy_admin password> endpoint-server --authenticationDatabase=admin
db.file.find({hostCount : {$lt : 0}}).count() /* Count how many files have negative hostCount */;
db.file.find({hostCount : {$lt : 0}}) /* Show the file entries with negative hostCount */;
db.file.remove({hostCount : {$lt : 0}}) /* Remove file entries with negative hostCount */;
exit
For example:
[root@Endpoint ~]# mongo -u deploy_admin -p <deploy_admin password> endpoint-server --authenticationDatabase=admin
> db.file.find({hostCount : {$lt : 0}}).count() /* Count how many files have negative hostCount */;
1
> db.file.find({hostCount : {$lt : 0}}) /* Show the file entries with negative hostCount */;
{ "_id" : "48d4fde31b9d7c3024e77387549feb8857e2632babee9e6a4bb03a61ccd4bdd0", "machineOsType" : "windows", "format" : "script", "checksumSha256" : "48d4fde31b9d7c3024e77387549feb8857e2632babee9e6a4bb03a61ccd4bdd0", "checksumSha1" : "c12950ffda47860d94b33eaa7ba8b2453f5d7332", "checksumMd5" : "000016fc005cde39e2c27eddee096467", "entropy" : 0, "size" : 128, "firstFileName" : "[FILELESS_SCRIPT_000016FC005CDE39E2C27EDDEE096467]", "script" : { }, "firstSeenTime" : ISODate("2020-07-27T08:20:37.740Z"), "fileStatus" : "Neutral", "hostCount" : -1, "score" : 0, "reputationStatus" : "Unknown" }
> db.file.remove({hostCount : {$lt : 0}}) /* Remove file entries with negative hostCount */;
WriteResult({ "nRemoved" : 1 })
> exit
bye
4. Refresh the NetWitness UI webpage.
Refresh the NetWitness UI, Investigate > Files, and the entries display shows a negative count in the "On Hosts" column are now removed.