sync: auto-sync from HOWARD-HOME at 2026-06-25 20:23:53

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 20:23:53
This commit is contained in:
2026-06-25 20:24:23 -07:00
parent 42c8b232cd
commit cf960d1b2a
3 changed files with 116 additions and 0 deletions

View File

@@ -9,6 +9,7 @@
- [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS. - [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
- [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number. - [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
- [Syncro RMM policies = API-impossible](reference_syncro_rmm_api_gui_only.md) — policy create/assign/folder-move is GUI-ONLY; `policy_folder_id` is read-only on PUT (live-proven), policy endpoints 404, /policy_folders 401 scope-gated. Don't build /syncro move-asset; use `bitdefender` for API policy work. - [Syncro RMM policies = API-impossible](reference_syncro_rmm_api_gui_only.md) — policy create/assign/folder-move is GUI-ONLY; `policy_folder_id` is read-only on PUT (live-proven), policy endpoints 404, /policy_folders 401 scope-gated. Don't build /syncro move-asset; use `bitdefender` for API policy work.
- [Datto EDR detection behavior](reference_datto_edr_detection_behavior.md) — alert `sourceType`: `av`=Datto AV signature, `rule`=EDR reputation detection (both via `edr.py detections`). EDR is reputation-based not structural (wire known-bad file as autostart exe to trip it; loose files aren't surveyed). AV is tamper-protected (console-only disable); disabling Datto AV uninstalls it + Defender auto-reactivates (AMSI blocks scripts with literal EICAR → build from char codes). Verified live on RMM-TEST-MACHINE.
- [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list. - [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list.
- [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style. - [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style.
- [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06. - [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06.

View File

@@ -0,0 +1,23 @@
---
name: reference_datto_edr_detection_behavior
description: How Datto EDR (azcomp4587) actually detects/reports, and AV-suppression gotchas — verified live on RMM-TEST-MACHINE
metadata:
type: reference
---
Verified live 2026-06-25/26 on RMM-TEST-MACHINE (EDR agent `b98b3ba0-...`, group `[TEST] RMM-TEST-MACHINE`, org Arizona Computer Guru) via the `datto-edr` skill + `/rmm`.
**Alert `sourceType` taxonomy (how to tell WHICH engine fired):**
- `av` = Datto AV signature hit (e.g. `Eicar-Test-Signature`). On-access/RTP.
- `rule` = Datto **EDR** detection — reputation/analyst rule on the forensic scan (e.g. `Generic Malware (Reputation - High Severity)`, description "Malware detected by endpoint protection").
- Both land in the same `Alerts` collection and surface identically via `edr.py detections`.
**Datto EDR is reputation-based, NOT structural.** A synthetic "looks suspicious" artifact (Run-key/scheduled task launching hidden `-EncodedCommand` powershell) is collected by the forensic scan but scored BENIGN → no alert (powershell.exe is signed/clean). To get an EDR detection you need a real reputation hit: wire a known-bad file as the **executable of an autostart** (Run-key/scheduled task) so the survey collects + hashes it. EICAR-as-autostart works → high-sev `rule` alert. A loose file on disk is NOT scanned by the EDR forensic survey (it only walks execution/persistence artifacts).
**AV-suppression gotchas (to isolate EDR on an endpoint):**
- Datto AV is **tamper-protected**: `Stop-Service EndpointProtectionService2 -Force` is refused ("cannot be stopped"); can't disable from the endpoint. Supported path = console policy (AV disabled / path-exclusion) — console-only, like policy assignment.
- Disabling Datto AV in the policy **uninstalls** the AV component on the box (services `EndpointProtectionService`/`...2` go absent; `HUNTAgent` EDR stays). Platform `dattoAvEnabled` flips to False at the console first; the on-box apply lags a few minutes.
- Removing Datto AV makes **Windows Defender auto-reactivate** (Security Center turns it back on when no 3rd-party AV registered). Then Defender RTP quarantines EICAR AND its **AMSI blocks any PowerShell script containing the literal EICAR string** ("script contains malicious content"). Build EICAR from char codes so the literal never appears in the script; disable Defender RTP (or path-exclude) too.
- After testing: restore Defender RTP (`Set-MpPreference -DisableRealtimeMonitoring $false`) and re-enable Datto AV in the console policy.
Skill: [[reference_syncro_rmm_api_gui_only]] is the analogous "management is GUI/console-only" constraint. See `.claude/skills/datto-edr/`.

View File

@@ -151,3 +151,95 @@ to save + clear context before applying the code fix and running a detection->re
scan routes there are DEAD. Datto EDR help: edr.datto.com/help. RMM_THOUGHTS Feature 6 for the scan routes there are DEAD. Datto EDR help: edr.datto.com/help. RMM_THOUGHTS Feature 6 for the
GuruRMM "EDR add-on" (webhooks Admin->Webhooks; needs Mike's go to build). GuruRMM "EDR add-on" (webhooks Admin->Webhooks; needs Mike's go to build).
- Research subagents (resumable): scan-endpoint finder `af59ee58a2ba28282`; EDR API research `ab14b157f92f91d49`. - Research subagents (resumable): scan-endpoint finder `af59ee58a2ba28282`; EDR API research `ab14b157f92f91d49`.
---
## Update: 20:23 PT — code-review fixes applied + AV/EDR detection->reporting proven
### Session Summary
Resumed after context clear. Two threads completed: (1) applied the remaining workflow
code-review findings to the `datto-edr` skill and committed; (2) ran a full
detection->reporting test on RMM-TEST-MACHINE that ended up proving BOTH the Datto AV and
the Datto EDR engines detect and report correctly through the skill.
Applied the 6 still-pending review fixes (the first 4 were done pre-clear): deploy-cmd now
requires explicit `--regkey` or `--group` (no more auto-picking an arbitrary cross-client
key); `raw` blocks a POST to any `*/scan` endpoint with no non-empty `where` (same
tenant-wide footgun the `scan` cmd guards); `main()` got a catch-all that surfaces + logs
unexpected exceptions (and a clean KeyboardInterrupt=130); `isolate` extension match is now
forgiving (exact->substring, excludes the paired "Restore", errors on ambiguity);
`detections --site` renamed `--target-group` (Alert.targetGroupId is a scan-target id, not a
Location id); `_t_status` relabel "Target groups (sites)"->"Scan target groups". SKILL.md +
docstrings updated. py_compile clean, selftest green (216 agents), guards fire on
no-key/empty-where/no-agent, deploy-cmd --group picks the group's own key. Committed `79bda6f`.
Detection test: discovered the test EDR agent is NOT EDR-only (the prior resume note was
wrong) -- `dattoAvEnabled=true`, Datto AV engine ready, Defender disabled. Pushed EICAR to
the box via /rmm; Datto AV auto-quarantined it within ~1-2 min and raised a high-sev alert
(`sourceType: av`, `Eicar-Test-Signature`, responseData quarantine-file), which surfaced
correctly through `edr.py detection`/`detections`. That proved AV detect->respond->report
end-to-end. The skill's `scan`/`task`/`cancel` were all exercised.
To isolate the EDR engine specifically, first tried a behavioral artifact (Run-key +
scheduled task launching hidden encoded PowerShell, benign payload, no AV disable). The EDR
forensic scan collected it but scored it BENIGN -> no alert: Datto EDR alerts on
reputation/threat-intel, not structure. Per Howard's "if that doesn't work then disable AV",
moved to AV suppression. The AV is tamper-protected (can't stop EndpointProtectionService2
from the endpoint); Howard disabled Datto AV in the attached console policy (uninstalls the
AV component) and then disabled Defender (which had auto-reactivated). With both AVs out and
EICAR wired as the executable of a Run-key + scheduled task, the Datto EDR forensic scan
detected it: high-sev alert `9e9b6e7d`, `eicar.exe`, `sourceType: rule`, "Generic Malware
(Reputation - High Severity)". Both AV and EDR detections render correctly via the skill.
Cleaned up all on-box artifacts and restored Defender RTP.
### Key Decisions
- Kept the test fixtures (EDR agent `b98b3ba0`, group `c3ba0672`, key `tstrmm7053`) as a
standing test endpoint, per Howard's earlier lean.
- Used a behavioral artifact (no AV disable) as the first EDR-isolation attempt; only
escalated to AV suppression when it produced no EDR alert.
- Refused to brute-force tamper-protected AV from the endpoint (kill protected process /
disable minifilter / reboot) -- too likely to break the managed AV. Used the supported
console-policy path (Howard-driven) instead.
- Build EICAR from char codes (not a literal) once Defender was in play -- Defender AMSI
blocks any PowerShell script containing the literal EICAR string.
### Problems Encountered
- `/tmp` read-back mismatch again (Git-Bash vs Python) -- switched to repo-relative scratch.
Logged friction.
- `edr.py agent <8charid>` returned HTTP 500 -- the API needs the full UUID; resolved by id
prefix match client-side over the 216-agent list.
- Disabling Datto AV in policy made Windows Defender auto-reactivate (Security Center) ->
Defender then quarantined EICAR and AMSI-blocked the dropper script. Fixed by Howard
disabling Defender + building EICAR from char codes.
- Service-state sync lag: platform `dattoAvEnabled` flipped False at the console first; the
on-box AV uninstall completed a few minutes later.
### Configuration Changes
- `.claude/skills/datto-edr/scripts/edr.py`, `edr_client.py`, `SKILL.md` -- review fixes (commit `79bda6f`).
- `.claude/memory/reference_datto_edr_detection_behavior.md` (new) + `MEMORY.md` index line.
### Verified Facts (this update)
- Alert `sourceType`: `av` = Datto AV signature; `rule` = Datto EDR reputation detection. Both
land in `Alerts`, both surface via `edr.py detections`.
- Datto EDR forensic scan surveys execution/persistence artifacts (autostarts, processes,
modules, etc.) + reputation-checks their hashes; it does NOT scan loose files on disk. Wire a
known-bad file as an autostart's executable to trip it.
- Canonical EICAR SHA256 (as written): `275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F`.
- AV is tamper-protected: `Stop-Service EndpointProtectionService2 -Force` is refused; supported
disable is console policy only (like Syncro RMM policy).
### Test artifacts / alerts (left in place)
- EDR alert `9e9b6e7d` (eicar.exe, rule) + AV alert `269ab552` (eicar_edrtest.com, av) remain in
the console as test records -- Howard to archive if desired.
- On-box: all removed (EICAR file, Run-key `EDRTestEicar`, scheduled task `EDRTestEicar`).
### Pending / Action
- **Howard: re-enable Datto AV in the console policy** for RMM-TEST-MACHINE (currently on
Defender RTP as interim protection; AV component was uninstalled by the policy disable).
### Reference Information
- Test EDR agent `b98b3ba0-5f82-466f-911a-5a6b24cdbae7` (hostname rmm-test-machine), RMM agent
`99d6d692-99e0-4359-9f9c-f43be89f49e5`, group `[TEST] RMM-TEST-MACHINE` `c3ba0672-...`, org ACG
`ac78844a-2d44-4c10-acc8-c9bcb6106346`. AV install path `C:\Program Files\infocyte\agent\dattoav\`.
- Commit `79bda6f` datto-edr code-review fixes.