sync: auto-sync from HOWARD-HOME at 2026-06-25 20:23:53
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 20:23:53
This commit is contained in:
@@ -151,3 +151,95 @@ to save + clear context before applying the code fix and running a detection->re
|
||||
scan routes there are DEAD. Datto EDR help: edr.datto.com/help. RMM_THOUGHTS Feature 6 for the
|
||||
GuruRMM "EDR add-on" (webhooks Admin->Webhooks; needs Mike's go to build).
|
||||
- Research subagents (resumable): scan-endpoint finder `af59ee58a2ba28282`; EDR API research `ab14b157f92f91d49`.
|
||||
|
||||
---
|
||||
|
||||
## Update: 20:23 PT — code-review fixes applied + AV/EDR detection->reporting proven
|
||||
|
||||
### Session Summary
|
||||
|
||||
Resumed after context clear. Two threads completed: (1) applied the remaining workflow
|
||||
code-review findings to the `datto-edr` skill and committed; (2) ran a full
|
||||
detection->reporting test on RMM-TEST-MACHINE that ended up proving BOTH the Datto AV and
|
||||
the Datto EDR engines detect and report correctly through the skill.
|
||||
|
||||
Applied the 6 still-pending review fixes (the first 4 were done pre-clear): deploy-cmd now
|
||||
requires explicit `--regkey` or `--group` (no more auto-picking an arbitrary cross-client
|
||||
key); `raw` blocks a POST to any `*/scan` endpoint with no non-empty `where` (same
|
||||
tenant-wide footgun the `scan` cmd guards); `main()` got a catch-all that surfaces + logs
|
||||
unexpected exceptions (and a clean KeyboardInterrupt=130); `isolate` extension match is now
|
||||
forgiving (exact->substring, excludes the paired "Restore", errors on ambiguity);
|
||||
`detections --site` renamed `--target-group` (Alert.targetGroupId is a scan-target id, not a
|
||||
Location id); `_t_status` relabel "Target groups (sites)"->"Scan target groups". SKILL.md +
|
||||
docstrings updated. py_compile clean, selftest green (216 agents), guards fire on
|
||||
no-key/empty-where/no-agent, deploy-cmd --group picks the group's own key. Committed `79bda6f`.
|
||||
|
||||
Detection test: discovered the test EDR agent is NOT EDR-only (the prior resume note was
|
||||
wrong) -- `dattoAvEnabled=true`, Datto AV engine ready, Defender disabled. Pushed EICAR to
|
||||
the box via /rmm; Datto AV auto-quarantined it within ~1-2 min and raised a high-sev alert
|
||||
(`sourceType: av`, `Eicar-Test-Signature`, responseData quarantine-file), which surfaced
|
||||
correctly through `edr.py detection`/`detections`. That proved AV detect->respond->report
|
||||
end-to-end. The skill's `scan`/`task`/`cancel` were all exercised.
|
||||
|
||||
To isolate the EDR engine specifically, first tried a behavioral artifact (Run-key +
|
||||
scheduled task launching hidden encoded PowerShell, benign payload, no AV disable). The EDR
|
||||
forensic scan collected it but scored it BENIGN -> no alert: Datto EDR alerts on
|
||||
reputation/threat-intel, not structure. Per Howard's "if that doesn't work then disable AV",
|
||||
moved to AV suppression. The AV is tamper-protected (can't stop EndpointProtectionService2
|
||||
from the endpoint); Howard disabled Datto AV in the attached console policy (uninstalls the
|
||||
AV component) and then disabled Defender (which had auto-reactivated). With both AVs out and
|
||||
EICAR wired as the executable of a Run-key + scheduled task, the Datto EDR forensic scan
|
||||
detected it: high-sev alert `9e9b6e7d`, `eicar.exe`, `sourceType: rule`, "Generic Malware
|
||||
(Reputation - High Severity)". Both AV and EDR detections render correctly via the skill.
|
||||
Cleaned up all on-box artifacts and restored Defender RTP.
|
||||
|
||||
### Key Decisions
|
||||
- Kept the test fixtures (EDR agent `b98b3ba0`, group `c3ba0672`, key `tstrmm7053`) as a
|
||||
standing test endpoint, per Howard's earlier lean.
|
||||
- Used a behavioral artifact (no AV disable) as the first EDR-isolation attempt; only
|
||||
escalated to AV suppression when it produced no EDR alert.
|
||||
- Refused to brute-force tamper-protected AV from the endpoint (kill protected process /
|
||||
disable minifilter / reboot) -- too likely to break the managed AV. Used the supported
|
||||
console-policy path (Howard-driven) instead.
|
||||
- Build EICAR from char codes (not a literal) once Defender was in play -- Defender AMSI
|
||||
blocks any PowerShell script containing the literal EICAR string.
|
||||
|
||||
### Problems Encountered
|
||||
- `/tmp` read-back mismatch again (Git-Bash vs Python) -- switched to repo-relative scratch.
|
||||
Logged friction.
|
||||
- `edr.py agent <8charid>` returned HTTP 500 -- the API needs the full UUID; resolved by id
|
||||
prefix match client-side over the 216-agent list.
|
||||
- Disabling Datto AV in policy made Windows Defender auto-reactivate (Security Center) ->
|
||||
Defender then quarantined EICAR and AMSI-blocked the dropper script. Fixed by Howard
|
||||
disabling Defender + building EICAR from char codes.
|
||||
- Service-state sync lag: platform `dattoAvEnabled` flipped False at the console first; the
|
||||
on-box AV uninstall completed a few minutes later.
|
||||
|
||||
### Configuration Changes
|
||||
- `.claude/skills/datto-edr/scripts/edr.py`, `edr_client.py`, `SKILL.md` -- review fixes (commit `79bda6f`).
|
||||
- `.claude/memory/reference_datto_edr_detection_behavior.md` (new) + `MEMORY.md` index line.
|
||||
|
||||
### Verified Facts (this update)
|
||||
- Alert `sourceType`: `av` = Datto AV signature; `rule` = Datto EDR reputation detection. Both
|
||||
land in `Alerts`, both surface via `edr.py detections`.
|
||||
- Datto EDR forensic scan surveys execution/persistence artifacts (autostarts, processes,
|
||||
modules, etc.) + reputation-checks their hashes; it does NOT scan loose files on disk. Wire a
|
||||
known-bad file as an autostart's executable to trip it.
|
||||
- Canonical EICAR SHA256 (as written): `275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F`.
|
||||
- AV is tamper-protected: `Stop-Service EndpointProtectionService2 -Force` is refused; supported
|
||||
disable is console policy only (like Syncro RMM policy).
|
||||
|
||||
### Test artifacts / alerts (left in place)
|
||||
- EDR alert `9e9b6e7d` (eicar.exe, rule) + AV alert `269ab552` (eicar_edrtest.com, av) remain in
|
||||
the console as test records -- Howard to archive if desired.
|
||||
- On-box: all removed (EICAR file, Run-key `EDRTestEicar`, scheduled task `EDRTestEicar`).
|
||||
|
||||
### Pending / Action
|
||||
- **Howard: re-enable Datto AV in the console policy** for RMM-TEST-MACHINE (currently on
|
||||
Defender RTP as interim protection; AV component was uninstalled by the policy disable).
|
||||
|
||||
### Reference Information
|
||||
- Test EDR agent `b98b3ba0-5f82-466f-911a-5a6b24cdbae7` (hostname rmm-test-machine), RMM agent
|
||||
`99d6d692-99e0-4359-9f9c-f43be89f49e5`, group `[TEST] RMM-TEST-MACHINE` `c3ba0672-...`, org ACG
|
||||
`ac78844a-2d44-4c10-acc8-c9bcb6106346`. AV install path `C:\Program Files\infocyte\agent\dattoav\`.
|
||||
- Commit `79bda6f` datto-edr code-review fixes.
|
||||
|
||||
Reference in New Issue
Block a user