sync: auto-sync from HOWARD-HOME at 2026-06-25 20:23:53

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 20:23:53
This commit is contained in:
2026-06-25 20:24:23 -07:00
parent 42c8b232cd
commit cf960d1b2a
3 changed files with 116 additions and 0 deletions

View File

@@ -151,3 +151,95 @@ to save + clear context before applying the code fix and running a detection->re
scan routes there are DEAD. Datto EDR help: edr.datto.com/help. RMM_THOUGHTS Feature 6 for the
GuruRMM "EDR add-on" (webhooks Admin->Webhooks; needs Mike's go to build).
- Research subagents (resumable): scan-endpoint finder `af59ee58a2ba28282`; EDR API research `ab14b157f92f91d49`.
---
## Update: 20:23 PT — code-review fixes applied + AV/EDR detection->reporting proven
### Session Summary
Resumed after context clear. Two threads completed: (1) applied the remaining workflow
code-review findings to the `datto-edr` skill and committed; (2) ran a full
detection->reporting test on RMM-TEST-MACHINE that ended up proving BOTH the Datto AV and
the Datto EDR engines detect and report correctly through the skill.
Applied the 6 still-pending review fixes (the first 4 were done pre-clear): deploy-cmd now
requires explicit `--regkey` or `--group` (no more auto-picking an arbitrary cross-client
key); `raw` blocks a POST to any `*/scan` endpoint with no non-empty `where` (same
tenant-wide footgun the `scan` cmd guards); `main()` got a catch-all that surfaces + logs
unexpected exceptions (and a clean KeyboardInterrupt=130); `isolate` extension match is now
forgiving (exact->substring, excludes the paired "Restore", errors on ambiguity);
`detections --site` renamed `--target-group` (Alert.targetGroupId is a scan-target id, not a
Location id); `_t_status` relabel "Target groups (sites)"->"Scan target groups". SKILL.md +
docstrings updated. py_compile clean, selftest green (216 agents), guards fire on
no-key/empty-where/no-agent, deploy-cmd --group picks the group's own key. Committed `79bda6f`.
Detection test: discovered the test EDR agent is NOT EDR-only (the prior resume note was
wrong) -- `dattoAvEnabled=true`, Datto AV engine ready, Defender disabled. Pushed EICAR to
the box via /rmm; Datto AV auto-quarantined it within ~1-2 min and raised a high-sev alert
(`sourceType: av`, `Eicar-Test-Signature`, responseData quarantine-file), which surfaced
correctly through `edr.py detection`/`detections`. That proved AV detect->respond->report
end-to-end. The skill's `scan`/`task`/`cancel` were all exercised.
To isolate the EDR engine specifically, first tried a behavioral artifact (Run-key +
scheduled task launching hidden encoded PowerShell, benign payload, no AV disable). The EDR
forensic scan collected it but scored it BENIGN -> no alert: Datto EDR alerts on
reputation/threat-intel, not structure. Per Howard's "if that doesn't work then disable AV",
moved to AV suppression. The AV is tamper-protected (can't stop EndpointProtectionService2
from the endpoint); Howard disabled Datto AV in the attached console policy (uninstalls the
AV component) and then disabled Defender (which had auto-reactivated). With both AVs out and
EICAR wired as the executable of a Run-key + scheduled task, the Datto EDR forensic scan
detected it: high-sev alert `9e9b6e7d`, `eicar.exe`, `sourceType: rule`, "Generic Malware
(Reputation - High Severity)". Both AV and EDR detections render correctly via the skill.
Cleaned up all on-box artifacts and restored Defender RTP.
### Key Decisions
- Kept the test fixtures (EDR agent `b98b3ba0`, group `c3ba0672`, key `tstrmm7053`) as a
standing test endpoint, per Howard's earlier lean.
- Used a behavioral artifact (no AV disable) as the first EDR-isolation attempt; only
escalated to AV suppression when it produced no EDR alert.
- Refused to brute-force tamper-protected AV from the endpoint (kill protected process /
disable minifilter / reboot) -- too likely to break the managed AV. Used the supported
console-policy path (Howard-driven) instead.
- Build EICAR from char codes (not a literal) once Defender was in play -- Defender AMSI
blocks any PowerShell script containing the literal EICAR string.
### Problems Encountered
- `/tmp` read-back mismatch again (Git-Bash vs Python) -- switched to repo-relative scratch.
Logged friction.
- `edr.py agent <8charid>` returned HTTP 500 -- the API needs the full UUID; resolved by id
prefix match client-side over the 216-agent list.
- Disabling Datto AV in policy made Windows Defender auto-reactivate (Security Center) ->
Defender then quarantined EICAR and AMSI-blocked the dropper script. Fixed by Howard
disabling Defender + building EICAR from char codes.
- Service-state sync lag: platform `dattoAvEnabled` flipped False at the console first; the
on-box AV uninstall completed a few minutes later.
### Configuration Changes
- `.claude/skills/datto-edr/scripts/edr.py`, `edr_client.py`, `SKILL.md` -- review fixes (commit `79bda6f`).
- `.claude/memory/reference_datto_edr_detection_behavior.md` (new) + `MEMORY.md` index line.
### Verified Facts (this update)
- Alert `sourceType`: `av` = Datto AV signature; `rule` = Datto EDR reputation detection. Both
land in `Alerts`, both surface via `edr.py detections`.
- Datto EDR forensic scan surveys execution/persistence artifacts (autostarts, processes,
modules, etc.) + reputation-checks their hashes; it does NOT scan loose files on disk. Wire a
known-bad file as an autostart's executable to trip it.
- Canonical EICAR SHA256 (as written): `275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F`.
- AV is tamper-protected: `Stop-Service EndpointProtectionService2 -Force` is refused; supported
disable is console policy only (like Syncro RMM policy).
### Test artifacts / alerts (left in place)
- EDR alert `9e9b6e7d` (eicar.exe, rule) + AV alert `269ab552` (eicar_edrtest.com, av) remain in
the console as test records -- Howard to archive if desired.
- On-box: all removed (EICAR file, Run-key `EDRTestEicar`, scheduled task `EDRTestEicar`).
### Pending / Action
- **Howard: re-enable Datto AV in the console policy** for RMM-TEST-MACHINE (currently on
Defender RTP as interim protection; AV component was uninstalled by the policy disable).
### Reference Information
- Test EDR agent `b98b3ba0-5f82-466f-911a-5a6b24cdbae7` (hostname rmm-test-machine), RMM agent
`99d6d692-99e0-4359-9f9c-f43be89f49e5`, group `[TEST] RMM-TEST-MACHINE` `c3ba0672-...`, org ACG
`ac78844a-2d44-4c10-acc8-c9bcb6106346`. AV install path `C:\Program Files\infocyte\agent\dattoav\`.
- Commit `79bda6f` datto-edr code-review fixes.