diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index f1218c7a..5bd4c88f 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -9,6 +9,7 @@ - [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS. - [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number. - [Syncro RMM policies = API-impossible](reference_syncro_rmm_api_gui_only.md) — policy create/assign/folder-move is GUI-ONLY; `policy_folder_id` is read-only on PUT (live-proven), policy endpoints 404, /policy_folders 401 scope-gated. Don't build /syncro move-asset; use `bitdefender` for API policy work. +- [Datto EDR detection behavior](reference_datto_edr_detection_behavior.md) — alert `sourceType`: `av`=Datto AV signature, `rule`=EDR reputation detection (both via `edr.py detections`). EDR is reputation-based not structural (wire known-bad file as autostart exe to trip it; loose files aren't surveyed). AV is tamper-protected (console-only disable); disabling Datto AV uninstalls it + Defender auto-reactivates (AMSI blocks scripts with literal EICAR → build from char codes). Verified live on RMM-TEST-MACHINE. - [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list. - [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style. - [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06. diff --git a/.claude/memory/reference_datto_edr_detection_behavior.md b/.claude/memory/reference_datto_edr_detection_behavior.md new file mode 100644 index 00000000..e8c0b558 --- /dev/null +++ b/.claude/memory/reference_datto_edr_detection_behavior.md @@ -0,0 +1,23 @@ +--- +name: reference_datto_edr_detection_behavior +description: How Datto EDR (azcomp4587) actually detects/reports, and AV-suppression gotchas — verified live on RMM-TEST-MACHINE +metadata: + type: reference +--- + +Verified live 2026-06-25/26 on RMM-TEST-MACHINE (EDR agent `b98b3ba0-...`, group `[TEST] RMM-TEST-MACHINE`, org Arizona Computer Guru) via the `datto-edr` skill + `/rmm`. + +**Alert `sourceType` taxonomy (how to tell WHICH engine fired):** +- `av` = Datto AV signature hit (e.g. `Eicar-Test-Signature`). On-access/RTP. +- `rule` = Datto **EDR** detection — reputation/analyst rule on the forensic scan (e.g. `Generic Malware (Reputation - High Severity)`, description "Malware detected by endpoint protection"). +- Both land in the same `Alerts` collection and surface identically via `edr.py detections`. + +**Datto EDR is reputation-based, NOT structural.** A synthetic "looks suspicious" artifact (Run-key/scheduled task launching hidden `-EncodedCommand` powershell) is collected by the forensic scan but scored BENIGN → no alert (powershell.exe is signed/clean). To get an EDR detection you need a real reputation hit: wire a known-bad file as the **executable of an autostart** (Run-key/scheduled task) so the survey collects + hashes it. EICAR-as-autostart works → high-sev `rule` alert. A loose file on disk is NOT scanned by the EDR forensic survey (it only walks execution/persistence artifacts). + +**AV-suppression gotchas (to isolate EDR on an endpoint):** +- Datto AV is **tamper-protected**: `Stop-Service EndpointProtectionService2 -Force` is refused ("cannot be stopped"); can't disable from the endpoint. Supported path = console policy (AV disabled / path-exclusion) — console-only, like policy assignment. +- Disabling Datto AV in the policy **uninstalls** the AV component on the box (services `EndpointProtectionService`/`...2` go absent; `HUNTAgent` EDR stays). Platform `dattoAvEnabled` flips to False at the console first; the on-box apply lags a few minutes. +- Removing Datto AV makes **Windows Defender auto-reactivate** (Security Center turns it back on when no 3rd-party AV registered). Then Defender RTP quarantines EICAR AND its **AMSI blocks any PowerShell script containing the literal EICAR string** ("script contains malicious content"). Build EICAR from char codes so the literal never appears in the script; disable Defender RTP (or path-exclude) too. +- After testing: restore Defender RTP (`Set-MpPreference -DisableRealtimeMonitoring $false`) and re-enable Datto AV in the console policy. + +Skill: [[reference_syncro_rmm_api_gui_only]] is the analogous "management is GUI/console-only" constraint. See `.claude/skills/datto-edr/`. diff --git a/session-logs/2026-06/2026-06-25-howard-datto-edr-skill-and-lifecycle-test.md b/session-logs/2026-06/2026-06-25-howard-datto-edr-skill-and-lifecycle-test.md index 83399af4..29969c61 100644 --- a/session-logs/2026-06/2026-06-25-howard-datto-edr-skill-and-lifecycle-test.md +++ b/session-logs/2026-06/2026-06-25-howard-datto-edr-skill-and-lifecycle-test.md @@ -151,3 +151,95 @@ to save + clear context before applying the code fix and running a detection->re scan routes there are DEAD. Datto EDR help: edr.datto.com/help. RMM_THOUGHTS Feature 6 for the GuruRMM "EDR add-on" (webhooks Admin->Webhooks; needs Mike's go to build). - Research subagents (resumable): scan-endpoint finder `af59ee58a2ba28282`; EDR API research `ab14b157f92f91d49`. + +--- + +## Update: 20:23 PT — code-review fixes applied + AV/EDR detection->reporting proven + +### Session Summary + +Resumed after context clear. Two threads completed: (1) applied the remaining workflow +code-review findings to the `datto-edr` skill and committed; (2) ran a full +detection->reporting test on RMM-TEST-MACHINE that ended up proving BOTH the Datto AV and +the Datto EDR engines detect and report correctly through the skill. + +Applied the 6 still-pending review fixes (the first 4 were done pre-clear): deploy-cmd now +requires explicit `--regkey` or `--group` (no more auto-picking an arbitrary cross-client +key); `raw` blocks a POST to any `*/scan` endpoint with no non-empty `where` (same +tenant-wide footgun the `scan` cmd guards); `main()` got a catch-all that surfaces + logs +unexpected exceptions (and a clean KeyboardInterrupt=130); `isolate` extension match is now +forgiving (exact->substring, excludes the paired "Restore", errors on ambiguity); +`detections --site` renamed `--target-group` (Alert.targetGroupId is a scan-target id, not a +Location id); `_t_status` relabel "Target groups (sites)"->"Scan target groups". SKILL.md + +docstrings updated. py_compile clean, selftest green (216 agents), guards fire on +no-key/empty-where/no-agent, deploy-cmd --group picks the group's own key. Committed `79bda6f`. + +Detection test: discovered the test EDR agent is NOT EDR-only (the prior resume note was +wrong) -- `dattoAvEnabled=true`, Datto AV engine ready, Defender disabled. Pushed EICAR to +the box via /rmm; Datto AV auto-quarantined it within ~1-2 min and raised a high-sev alert +(`sourceType: av`, `Eicar-Test-Signature`, responseData quarantine-file), which surfaced +correctly through `edr.py detection`/`detections`. That proved AV detect->respond->report +end-to-end. The skill's `scan`/`task`/`cancel` were all exercised. + +To isolate the EDR engine specifically, first tried a behavioral artifact (Run-key + +scheduled task launching hidden encoded PowerShell, benign payload, no AV disable). The EDR +forensic scan collected it but scored it BENIGN -> no alert: Datto EDR alerts on +reputation/threat-intel, not structure. Per Howard's "if that doesn't work then disable AV", +moved to AV suppression. The AV is tamper-protected (can't stop EndpointProtectionService2 +from the endpoint); Howard disabled Datto AV in the attached console policy (uninstalls the +AV component) and then disabled Defender (which had auto-reactivated). With both AVs out and +EICAR wired as the executable of a Run-key + scheduled task, the Datto EDR forensic scan +detected it: high-sev alert `9e9b6e7d`, `eicar.exe`, `sourceType: rule`, "Generic Malware +(Reputation - High Severity)". Both AV and EDR detections render correctly via the skill. +Cleaned up all on-box artifacts and restored Defender RTP. + +### Key Decisions +- Kept the test fixtures (EDR agent `b98b3ba0`, group `c3ba0672`, key `tstrmm7053`) as a + standing test endpoint, per Howard's earlier lean. +- Used a behavioral artifact (no AV disable) as the first EDR-isolation attempt; only + escalated to AV suppression when it produced no EDR alert. +- Refused to brute-force tamper-protected AV from the endpoint (kill protected process / + disable minifilter / reboot) -- too likely to break the managed AV. Used the supported + console-policy path (Howard-driven) instead. +- Build EICAR from char codes (not a literal) once Defender was in play -- Defender AMSI + blocks any PowerShell script containing the literal EICAR string. + +### Problems Encountered +- `/tmp` read-back mismatch again (Git-Bash vs Python) -- switched to repo-relative scratch. + Logged friction. +- `edr.py agent <8charid>` returned HTTP 500 -- the API needs the full UUID; resolved by id + prefix match client-side over the 216-agent list. +- Disabling Datto AV in policy made Windows Defender auto-reactivate (Security Center) -> + Defender then quarantined EICAR and AMSI-blocked the dropper script. Fixed by Howard + disabling Defender + building EICAR from char codes. +- Service-state sync lag: platform `dattoAvEnabled` flipped False at the console first; the + on-box AV uninstall completed a few minutes later. + +### Configuration Changes +- `.claude/skills/datto-edr/scripts/edr.py`, `edr_client.py`, `SKILL.md` -- review fixes (commit `79bda6f`). +- `.claude/memory/reference_datto_edr_detection_behavior.md` (new) + `MEMORY.md` index line. + +### Verified Facts (this update) +- Alert `sourceType`: `av` = Datto AV signature; `rule` = Datto EDR reputation detection. Both + land in `Alerts`, both surface via `edr.py detections`. +- Datto EDR forensic scan surveys execution/persistence artifacts (autostarts, processes, + modules, etc.) + reputation-checks their hashes; it does NOT scan loose files on disk. Wire a + known-bad file as an autostart's executable to trip it. +- Canonical EICAR SHA256 (as written): `275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F`. +- AV is tamper-protected: `Stop-Service EndpointProtectionService2 -Force` is refused; supported + disable is console policy only (like Syncro RMM policy). + +### Test artifacts / alerts (left in place) +- EDR alert `9e9b6e7d` (eicar.exe, rule) + AV alert `269ab552` (eicar_edrtest.com, av) remain in + the console as test records -- Howard to archive if desired. +- On-box: all removed (EICAR file, Run-key `EDRTestEicar`, scheduled task `EDRTestEicar`). + +### Pending / Action +- **Howard: re-enable Datto AV in the console policy** for RMM-TEST-MACHINE (currently on + Defender RTP as interim protection; AV component was uninstalled by the policy disable). + +### Reference Information +- Test EDR agent `b98b3ba0-5f82-466f-911a-5a6b24cdbae7` (hostname rmm-test-machine), RMM agent + `99d6d692-99e0-4359-9f9c-f43be89f49e5`, group `[TEST] RMM-TEST-MACHINE` `c3ba0672-...`, org ACG + `ac78844a-2d44-4c10-acc8-c9bcb6106346`. AV install path `C:\Program Files\infocyte\agent\dattoav\`. +- Commit `79bda6f` datto-edr code-review fixes.