sync: auto-sync from HOWARD-HOME at 2026-06-25 20:23:53
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-25 20:23:53
This commit is contained in:
@@ -9,6 +9,7 @@
|
|||||||
- [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
|
- [Power Failure Runbook](../POWER_FAILURE_RUNBOOK.md) — Recovery order after a power event: Tailscale routes, libvirt/VMs, Seafile, NPM/DNS.
|
||||||
- [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
|
- [Syncro API — Invoice Verification Pattern](syncro_invoice_verification_pattern.md) — /invoices?customer_id=X returns no ticket linkage; query /invoices/{number} for ticket_id. Compare by ticket ID, not number.
|
||||||
- [Syncro RMM policies = API-impossible](reference_syncro_rmm_api_gui_only.md) — policy create/assign/folder-move is GUI-ONLY; `policy_folder_id` is read-only on PUT (live-proven), policy endpoints 404, /policy_folders 401 scope-gated. Don't build /syncro move-asset; use `bitdefender` for API policy work.
|
- [Syncro RMM policies = API-impossible](reference_syncro_rmm_api_gui_only.md) — policy create/assign/folder-move is GUI-ONLY; `policy_folder_id` is read-only on PUT (live-proven), policy endpoints 404, /policy_folders 401 scope-gated. Don't build /syncro move-asset; use `bitdefender` for API policy work.
|
||||||
|
- [Datto EDR detection behavior](reference_datto_edr_detection_behavior.md) — alert `sourceType`: `av`=Datto AV signature, `rule`=EDR reputation detection (both via `edr.py detections`). EDR is reputation-based not structural (wire known-bad file as autostart exe to trip it; loose files aren't surveyed). AV is tamper-protected (console-only disable); disabling Datto AV uninstalls it + Defender auto-reactivates (AMSI blocks scripts with literal EICAR → build from char codes). Verified live on RMM-TEST-MACHINE.
|
||||||
- [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list.
|
- [Approval Workflow: Tools vs Projects](approval-workflow-tools-vs-projects.md) — Tools (remediation, scripts): Howard/Claude with approval. Projects (GuruRMM): Mike approval for architecture/features; Howard can handle merges/deploys himself (2026-06-21); bugs→bug list.
|
||||||
- [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style.
|
- [CDP Chrome driver](reference_cdp_chrome_driver.md) — Drive Chrome via DevTools Protocol (.claude/scripts/cdp.py): visible window + screenshots-to-disk so Gemini/Grok can SEE the live site. Use localhost not 127.0.0.1; dedicated profile. Antigravity-style.
|
||||||
- [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06.
|
- [Firefox driver (ff.py)](reference_ff_firefox_driver.md) — PREFERRED browser driver. Drive Firefox via Playwright (.claude/scripts/ff.py): daemon on :9333, persistent profile, nav/shot/click/type/eval/console/network. Mike dislikes Chrome; claude-in-chrome connector disabled 2026-06-06.
|
||||||
|
|||||||
23
.claude/memory/reference_datto_edr_detection_behavior.md
Normal file
23
.claude/memory/reference_datto_edr_detection_behavior.md
Normal file
@@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
name: reference_datto_edr_detection_behavior
|
||||||
|
description: How Datto EDR (azcomp4587) actually detects/reports, and AV-suppression gotchas — verified live on RMM-TEST-MACHINE
|
||||||
|
metadata:
|
||||||
|
type: reference
|
||||||
|
---
|
||||||
|
|
||||||
|
Verified live 2026-06-25/26 on RMM-TEST-MACHINE (EDR agent `b98b3ba0-...`, group `[TEST] RMM-TEST-MACHINE`, org Arizona Computer Guru) via the `datto-edr` skill + `/rmm`.
|
||||||
|
|
||||||
|
**Alert `sourceType` taxonomy (how to tell WHICH engine fired):**
|
||||||
|
- `av` = Datto AV signature hit (e.g. `Eicar-Test-Signature`). On-access/RTP.
|
||||||
|
- `rule` = Datto **EDR** detection — reputation/analyst rule on the forensic scan (e.g. `Generic Malware (Reputation - High Severity)`, description "Malware detected by endpoint protection").
|
||||||
|
- Both land in the same `Alerts` collection and surface identically via `edr.py detections`.
|
||||||
|
|
||||||
|
**Datto EDR is reputation-based, NOT structural.** A synthetic "looks suspicious" artifact (Run-key/scheduled task launching hidden `-EncodedCommand` powershell) is collected by the forensic scan but scored BENIGN → no alert (powershell.exe is signed/clean). To get an EDR detection you need a real reputation hit: wire a known-bad file as the **executable of an autostart** (Run-key/scheduled task) so the survey collects + hashes it. EICAR-as-autostart works → high-sev `rule` alert. A loose file on disk is NOT scanned by the EDR forensic survey (it only walks execution/persistence artifacts).
|
||||||
|
|
||||||
|
**AV-suppression gotchas (to isolate EDR on an endpoint):**
|
||||||
|
- Datto AV is **tamper-protected**: `Stop-Service EndpointProtectionService2 -Force` is refused ("cannot be stopped"); can't disable from the endpoint. Supported path = console policy (AV disabled / path-exclusion) — console-only, like policy assignment.
|
||||||
|
- Disabling Datto AV in the policy **uninstalls** the AV component on the box (services `EndpointProtectionService`/`...2` go absent; `HUNTAgent` EDR stays). Platform `dattoAvEnabled` flips to False at the console first; the on-box apply lags a few minutes.
|
||||||
|
- Removing Datto AV makes **Windows Defender auto-reactivate** (Security Center turns it back on when no 3rd-party AV registered). Then Defender RTP quarantines EICAR AND its **AMSI blocks any PowerShell script containing the literal EICAR string** ("script contains malicious content"). Build EICAR from char codes so the literal never appears in the script; disable Defender RTP (or path-exclude) too.
|
||||||
|
- After testing: restore Defender RTP (`Set-MpPreference -DisableRealtimeMonitoring $false`) and re-enable Datto AV in the console policy.
|
||||||
|
|
||||||
|
Skill: [[reference_syncro_rmm_api_gui_only]] is the analogous "management is GUI/console-only" constraint. See `.claude/skills/datto-edr/`.
|
||||||
@@ -151,3 +151,95 @@ to save + clear context before applying the code fix and running a detection->re
|
|||||||
scan routes there are DEAD. Datto EDR help: edr.datto.com/help. RMM_THOUGHTS Feature 6 for the
|
scan routes there are DEAD. Datto EDR help: edr.datto.com/help. RMM_THOUGHTS Feature 6 for the
|
||||||
GuruRMM "EDR add-on" (webhooks Admin->Webhooks; needs Mike's go to build).
|
GuruRMM "EDR add-on" (webhooks Admin->Webhooks; needs Mike's go to build).
|
||||||
- Research subagents (resumable): scan-endpoint finder `af59ee58a2ba28282`; EDR API research `ab14b157f92f91d49`.
|
- Research subagents (resumable): scan-endpoint finder `af59ee58a2ba28282`; EDR API research `ab14b157f92f91d49`.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Update: 20:23 PT — code-review fixes applied + AV/EDR detection->reporting proven
|
||||||
|
|
||||||
|
### Session Summary
|
||||||
|
|
||||||
|
Resumed after context clear. Two threads completed: (1) applied the remaining workflow
|
||||||
|
code-review findings to the `datto-edr` skill and committed; (2) ran a full
|
||||||
|
detection->reporting test on RMM-TEST-MACHINE that ended up proving BOTH the Datto AV and
|
||||||
|
the Datto EDR engines detect and report correctly through the skill.
|
||||||
|
|
||||||
|
Applied the 6 still-pending review fixes (the first 4 were done pre-clear): deploy-cmd now
|
||||||
|
requires explicit `--regkey` or `--group` (no more auto-picking an arbitrary cross-client
|
||||||
|
key); `raw` blocks a POST to any `*/scan` endpoint with no non-empty `where` (same
|
||||||
|
tenant-wide footgun the `scan` cmd guards); `main()` got a catch-all that surfaces + logs
|
||||||
|
unexpected exceptions (and a clean KeyboardInterrupt=130); `isolate` extension match is now
|
||||||
|
forgiving (exact->substring, excludes the paired "Restore", errors on ambiguity);
|
||||||
|
`detections --site` renamed `--target-group` (Alert.targetGroupId is a scan-target id, not a
|
||||||
|
Location id); `_t_status` relabel "Target groups (sites)"->"Scan target groups". SKILL.md +
|
||||||
|
docstrings updated. py_compile clean, selftest green (216 agents), guards fire on
|
||||||
|
no-key/empty-where/no-agent, deploy-cmd --group picks the group's own key. Committed `79bda6f`.
|
||||||
|
|
||||||
|
Detection test: discovered the test EDR agent is NOT EDR-only (the prior resume note was
|
||||||
|
wrong) -- `dattoAvEnabled=true`, Datto AV engine ready, Defender disabled. Pushed EICAR to
|
||||||
|
the box via /rmm; Datto AV auto-quarantined it within ~1-2 min and raised a high-sev alert
|
||||||
|
(`sourceType: av`, `Eicar-Test-Signature`, responseData quarantine-file), which surfaced
|
||||||
|
correctly through `edr.py detection`/`detections`. That proved AV detect->respond->report
|
||||||
|
end-to-end. The skill's `scan`/`task`/`cancel` were all exercised.
|
||||||
|
|
||||||
|
To isolate the EDR engine specifically, first tried a behavioral artifact (Run-key +
|
||||||
|
scheduled task launching hidden encoded PowerShell, benign payload, no AV disable). The EDR
|
||||||
|
forensic scan collected it but scored it BENIGN -> no alert: Datto EDR alerts on
|
||||||
|
reputation/threat-intel, not structure. Per Howard's "if that doesn't work then disable AV",
|
||||||
|
moved to AV suppression. The AV is tamper-protected (can't stop EndpointProtectionService2
|
||||||
|
from the endpoint); Howard disabled Datto AV in the attached console policy (uninstalls the
|
||||||
|
AV component) and then disabled Defender (which had auto-reactivated). With both AVs out and
|
||||||
|
EICAR wired as the executable of a Run-key + scheduled task, the Datto EDR forensic scan
|
||||||
|
detected it: high-sev alert `9e9b6e7d`, `eicar.exe`, `sourceType: rule`, "Generic Malware
|
||||||
|
(Reputation - High Severity)". Both AV and EDR detections render correctly via the skill.
|
||||||
|
Cleaned up all on-box artifacts and restored Defender RTP.
|
||||||
|
|
||||||
|
### Key Decisions
|
||||||
|
- Kept the test fixtures (EDR agent `b98b3ba0`, group `c3ba0672`, key `tstrmm7053`) as a
|
||||||
|
standing test endpoint, per Howard's earlier lean.
|
||||||
|
- Used a behavioral artifact (no AV disable) as the first EDR-isolation attempt; only
|
||||||
|
escalated to AV suppression when it produced no EDR alert.
|
||||||
|
- Refused to brute-force tamper-protected AV from the endpoint (kill protected process /
|
||||||
|
disable minifilter / reboot) -- too likely to break the managed AV. Used the supported
|
||||||
|
console-policy path (Howard-driven) instead.
|
||||||
|
- Build EICAR from char codes (not a literal) once Defender was in play -- Defender AMSI
|
||||||
|
blocks any PowerShell script containing the literal EICAR string.
|
||||||
|
|
||||||
|
### Problems Encountered
|
||||||
|
- `/tmp` read-back mismatch again (Git-Bash vs Python) -- switched to repo-relative scratch.
|
||||||
|
Logged friction.
|
||||||
|
- `edr.py agent <8charid>` returned HTTP 500 -- the API needs the full UUID; resolved by id
|
||||||
|
prefix match client-side over the 216-agent list.
|
||||||
|
- Disabling Datto AV in policy made Windows Defender auto-reactivate (Security Center) ->
|
||||||
|
Defender then quarantined EICAR and AMSI-blocked the dropper script. Fixed by Howard
|
||||||
|
disabling Defender + building EICAR from char codes.
|
||||||
|
- Service-state sync lag: platform `dattoAvEnabled` flipped False at the console first; the
|
||||||
|
on-box AV uninstall completed a few minutes later.
|
||||||
|
|
||||||
|
### Configuration Changes
|
||||||
|
- `.claude/skills/datto-edr/scripts/edr.py`, `edr_client.py`, `SKILL.md` -- review fixes (commit `79bda6f`).
|
||||||
|
- `.claude/memory/reference_datto_edr_detection_behavior.md` (new) + `MEMORY.md` index line.
|
||||||
|
|
||||||
|
### Verified Facts (this update)
|
||||||
|
- Alert `sourceType`: `av` = Datto AV signature; `rule` = Datto EDR reputation detection. Both
|
||||||
|
land in `Alerts`, both surface via `edr.py detections`.
|
||||||
|
- Datto EDR forensic scan surveys execution/persistence artifacts (autostarts, processes,
|
||||||
|
modules, etc.) + reputation-checks their hashes; it does NOT scan loose files on disk. Wire a
|
||||||
|
known-bad file as an autostart's executable to trip it.
|
||||||
|
- Canonical EICAR SHA256 (as written): `275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F`.
|
||||||
|
- AV is tamper-protected: `Stop-Service EndpointProtectionService2 -Force` is refused; supported
|
||||||
|
disable is console policy only (like Syncro RMM policy).
|
||||||
|
|
||||||
|
### Test artifacts / alerts (left in place)
|
||||||
|
- EDR alert `9e9b6e7d` (eicar.exe, rule) + AV alert `269ab552` (eicar_edrtest.com, av) remain in
|
||||||
|
the console as test records -- Howard to archive if desired.
|
||||||
|
- On-box: all removed (EICAR file, Run-key `EDRTestEicar`, scheduled task `EDRTestEicar`).
|
||||||
|
|
||||||
|
### Pending / Action
|
||||||
|
- **Howard: re-enable Datto AV in the console policy** for RMM-TEST-MACHINE (currently on
|
||||||
|
Defender RTP as interim protection; AV component was uninstalled by the policy disable).
|
||||||
|
|
||||||
|
### Reference Information
|
||||||
|
- Test EDR agent `b98b3ba0-5f82-466f-911a-5a6b24cdbae7` (hostname rmm-test-machine), RMM agent
|
||||||
|
`99d6d692-99e0-4359-9f9c-f43be89f49e5`, group `[TEST] RMM-TEST-MACHINE` `c3ba0672-...`, org ACG
|
||||||
|
`ac78844a-2d44-4c10-acc8-c9bcb6106346`. AV install path `C:\Program Files\infocyte\agent\dattoav\`.
|
||||||
|
- Commit `79bda6f` datto-edr code-review fixes.
|
||||||
|
|||||||
Reference in New Issue
Block a user