Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Table of Contents
minLevel1
maxLevel6
outlinefalse
typelist
separatorpipe
printabletrue

Checking Logs and Default Installation Paths

The default installation path:

Windows: C:\Program Files (x86)\CyberCNSAgent

MacOS/Linux: /opt/CyberCNSAgent

The default path for the logs:

Windows: C:\Program Files (x86)\CyberCNSAgent\logs

MacOS/Linux: /opt/CyberCNSAgent/logs

The default log files:

  • cybercns.log (main)

  • cybercns_monitor.log

  • cyberpatch.log (patching)

How To Check Installed Software for Linux using OSQUERY

Info

We have this same info for Windows here How To: Use OSQuery to Validate Installed Software

For Linux based assets use the steps below. In this example, I am searching for a program called Thuderbird.

Open Terminal

Navigate to the below path

cd /opt/CyberCNSAgent/

​Run the osqueryi

sudo ./osqueryi_linux

Execute the queries below

SELECT name,name as full_name,version,arch,release,source as install_source from deb_packages where name like "%thunder%";

SELECT name,name as full_name,version,arch,release,source as install_source from rpm_packages where name like "%thunder%";

Share this output with the support team

Remediated Vulnerabilities Still Showing in the Portal

  1. Make sure a recent scan has been completed

  2. Use the OSQUERY to determine application details

How To: Use OSQuery to Validate Installed Software

Info

NOTE: If both the old and new versions are present in the osqueryi output, follow these steps to clear the data. This issue could be caused by an incomplete removal of the application. If the installation location is still present, the information will be further analyzed and reported. Since there is no installed location or source path, only the uninstall string is available. This issue could be resolved by clearing the registry information.

How To: Search Registry for Uninstall Strings

Scan Issues

SNMP Scan Issues

Solution 1: For Version 1 and Version 2 

  1. Download the file using the link below
    https://betadev.mycybercns.com/agents/net-snmp-5.5.0-2.x64.exe 

  2. Open PowerShell as administrator

  3. Navigate to the download location and run the below command
    --> Start-Process net-snmp-5.5.0-2.x64.exe** 

  4. Follow the installation steps and install the SNMPwalk 

  5. Run the below command in PowerShell and share the output with us.
    --> snmpwalk -v1 -c snmpstring targetIP
    for example, snmpwalk -v1 -c public 192.168.0.1
    --> snmpwalk -v2c -c snmpstring targetIP
    for example, snmpwalk -v2c -c public 192.168.0.1
    -version 2 -community_string public -ip 

Solution 2: All 3 versions of SNMP 

Here are the troubleshooting steps for validating SNMP communication in PowerShell:

  1. Download the validation tool from the provided link:
    https://betadev.mycybercns.com/agents/snmp/validatesnmp.exe 

  2. Run PowerShell as Administrator: 

  3. Navigate to the location where the downloaded file is located, and open PowerShell as an administrator. 

  4. Execute the validation command:

For SNMP version 1:
.\validatesnmp.exe -version 1 -community_string <string> -ip <targetip> 

For SNMP version 2:
.\validatesnmp.exe -version 2 -community_string <string> -ip <targetip> 

For SNMP version 3:
.\validatesnmp.exe -version 3 -security_name <username> -auth_protocal <auth_protocol> -auth_password <auth_password> -privacy_protocol <priv_protocol> -privacy_password <priv_passsword> -ip <targetip> 

Replace <string> with the SNMP community string for SNMP v1 or v2, <targetip> with the IP address of the target device, <securityname> with the SNMPv3 username, <auth_protocol> with the authentication protocol (e.g., MD5 or SHA), <auth_password> with the authentication password, <priv_protocol> with the privacy protocol (e.g., AES or DES), and <priv_password> with the privacy password. 

Windows Asset Credential Scan Issues (SMB)

You can validate the credentials from the probe agent machine by following the below steps: 

  1. Download validate smb.exe from the link below.
    https://betadev.mycybercns.com/agents/validatesmb/validatesmb.exe 

  2. Run the Command

  3. Open PowerShell as an administrator

  4. Navigate to the location of the file and run the appropriate command based on your asset type: 

For a Domain Asset: 

 .\validatesmb.exe validatesmb <IP> <domain(FQDN)> <user> <password> 
Sample: .\validatesmb.exe validatesmb 10.0.0.202 hash.local admin cc@#$123ns 

For a Workgroup Asset: 

 
.\validatesmb.exe validatesmb <IP> '""' <user> <password> 
Sample: 
.\validatesmb.exe validatesmb 10.0.0.202 '""' trator cc@#$123ns 

If the validate SMB fails, you can verify it using the run window from the agent machine. Please initiate Windows run and enter the IP address after the admin$, click enter, and verify that you can access the remote asset admin$. It will prompt you to enter the credential, please enter the valid credential. 

for e.g. \\192.168.1.1\admin$ 

...

Active Directory AD Scan Issues

Ensure correct information is added, such as:

  1. The IP address in the DC name to avoid any DNS lookup issues

  2. FQDN in the domain name and the username without a domain or ".\" 

...

NMAP Scan Issues

If the nmap is not determining any assets, follow the below steps to troubleshoot:

...

Open the command prompt as an administrator on the agent machine. 

...

V4 Troubleshooting FAQ Table of Contents

Table of Contents
minLevel1
maxLevel6
outlinefalse
typelist
separatorpipe
printabletrue

...

How Probe Agent Scans Remote Assets

  • Windows - It attempts to use the Admin SMB share to send a small executable called the dissolvable agent that it then runs on the remote machine to fetch the details.

  • Active Directory - If Active Directory Credentials are provided to the Probe Agent under Discovery Settings, it uses SMB communication to fetch information from remote assets.

  • Linux - requires the latest installation of NMAP; uses SSH credentials and Linux commands to determine what is running

  • Network Devices - Uses SNMP to discover the sysObjectID, look up the version of the device, and then query the vulnerabilities for the version. It also connects to OEM APIs to get the vulnerability details.

  • You can discover multiple subnets using a single Probe Agent by setting up the address type(s).

    • CIDR > Example: 192.168.1.0/24

    • IP Range > Example: 192.168.1.0-192.168.1.100

    • Static IP > Example: 192.168.1.1

  • Network scanning involves detecting all active hosts on a network and mapping them to their IP addresses.

  • Port scanning refers to the process of sending packets to specific ports on a host and analyzing the responses to learn details about its running services or locate potential vulnerabilities.

Methods of Network Scanning for Host Discovery

Host discovery, the process of determining what systems on a network are up and listening, is often the first step in a hostile network scanning action. Two protocols are most commonly used for host discovery: Address Resolution Protocol (ARP) scans and several types of Internet Control Message Protocol (ICMP) scans.

Since individual ARP requests are used to map IP addresses to MAC addresses on a local subnet, ARP requests can be sent out to many IP addresses on a Local Area Network (LAN) to determine which hosts are up based on the ones that respond with an ARP reply.

For network scanning outside of a local subnet, several types of ICMP packets can be used instead, including echo, timestamp, and address mask requests. Echo (or ping) requests are used to detect if another host can be reached, while timestamp messages determine the latency between two hosts. Address mask requests are intended to discover the subnet mask in use on the network.

Host discovery for each ICMP message type depends on receiving a corresponding reply from available hosts. If no response is received, it means either that there is no host listening at that address, that the request packet was blocked by a firewall or packet filter, or that the message type isn't supported by the destination device. ICMP echo requests that originate outside an internal network are commonly blocked by firewalls, but timestamp and address mask requests are less likely to be blocked.

Methods of Port Scanning

Once available hosts on a network have been found via networking scanning; port scanning can be used to discover the services in use on specific ports. In general, port scanning attempts to classify ports into one of three designations:

  • Open: the destination responds with a packet indicating it is listening on that port, which also indicates that whatever service was used for the scan (commonly TCP or UDP) is in use as well

  • Closed: the destination received the request packet but responded with a reply indicating that there is no service listening at the port

  • Filtered: the port might be open, but the packet has been filtered out by a firewall and dropped, so no reply is received

Types of TCP Scans

As previously mentioned, TCP and UDP are frequently the protocols used in port scanning. There are several methods of performing TCP scans:

SYN scans, the most common form of TCP scanning, involve establishing a half-open connection to the target port by sending a SYN packet and evaluating the response. The host replies by sending a SYN/ACK packet if the port is open or a RST response if the port is closed. It is also possible for a closed port to reply with an ICMP port unreachable message instead of a RST packet, though this is less common. A lack of any reply indicates that the port is filtered.

A higher level method of TCP scanning is the TCP connect scan, in which the scanner tries to connect to a port via TCP using the connect system call and the full TCP handshake process. This method is utilized less often than SYN scanning, since it requires more overhead in terms of packets and time and is more easily detectable.

NULL, FIN, and Xmas scans are three scan types that involve manipulating TCP header flags. Each of them results in a RST (or ICMP port unreachable) packet from a closed port and no response from an open or filtered port, and they require that the SYN, RST, and ACK bits are not set. NULL scans send packets with no flags set in their headers, while FIN scans have only the FIN bit set.

Probe Agent Minimum Requirements

  • CPU: 4-core

  • DISK: 100GB SSD

  • RAM: 4GB for first 1000 assets and 1GB for every 500 assets added

  • Network access to any subnets to be scanned based on mapped discovery settings

  • The latest version of NPCAP (may require uninstalling the previous/older version of NPCAP to convert from LWA to Probe)

  • Linux requires the latest NMAP installed

  • MacOS requires the latest NMAP installed

Credentials Used (Least Privilege)

Validation Methods

You can validate the credentials from the probe agent machine; check out the guide:

https://cybercns.atlassian.net/wiki/spaces/CVB/pages/2175271274/Internal+Support+FAQ#Windows-Asset-Credential-Scan-Issues-(SMB)

...

Checking Logs and Default Installation Paths

The default installation path:

Windows: C:\Program Files (x86)\CyberCNSAgent

MacOS/Linux: /opt/CyberCNSAgent

The default path for the logs:

Windows: C:\Program Files (x86)\CyberCNSAgent\logs

MacOS/Linux: /opt/CyberCNSAgent/logs

The default log files:

  • cybercns.log (main)

  • cybercns_monitor.log

  • cyberpatch.log (patching)

...

Probe Agent Not Detecting Assets

Step-1:-
Stop the agent service

Open PowerShell as an administrator

net stop cybercnsagent

net stop cybercnsagentmonitor

Step-2:-

uninstall the npcap driver from the installed programs.

Install the npcap oem latest version from our agent folder, "C:\Program Files (x86)\CyberCNSAgent\nmap"

Step-3:-

Start the agent service

net start cybercnsagent

net start cybercnsagentmonitor

REF: https://cybercns.freshdesk.com/a/tickets/50291

...

Bitdefender Blocking Powershell

Please follow these steps to whitelist the directory:

Step 1: Log in to Bitdefender GravityZone
Go to the Bitdefender GravityZone Control Center and log in with your credentials.
Step 2: Navigate to the Policies Section
On the left-hand menu, click on “Policies.”
Select the policy that applies to the endpoints where the directory needs to be whitelisted.
Step 3: Add Directory Exclusion
In the policy settings, click on “Antivirus.”
Scroll down to the “Exclusions” section.
Click on “Add” to create a new exclusion.
Step 4: Configure the Directory Exclusion
Exclusion Type: Choose “Folder” as the exclusion type.
Path: Enter the full path to the directory you want to exclude (e.g., 'C:\Program Files (x86)\CyberCNSAgent\').
Description: Optionally, provide a description for the exclusion for easier management.
Step 5: Set the Exclusion Scope
Define the scope of the exclusion, such as whether it applies to on-access scanning, on-demand scanning, or both.
Click “Save” to apply the exclusion.
Step 6: Verify the Exclusion
After applying the changes, test on an endpoint to ensure that the directory is no longer being scanned or flagged by Bitdefender.
Reference
You can refer to the detailed guide on adding exclusions in Bitdefender GravityZone by visiting this link:
https://www.bitdefender.com/consumer/support/answer/13427/

REF: https://cybercns.freshdesk.com/a/tickets/49777

...

Credentials Not Available for Scan Error

If any asset(s) fail due to invalid credentials, we display the message ‘Credentials Not Available For Scan’ at the asset details screen as shown below:

...

We have included the following platform checks here:

  • VMWare

  • Network Device

  • Linux

  • Windows

  • Darwin

  • MAC

  • Linux-based OS

  • Ubuntu

  • NetBSD

  • FreeBSD

  • Linux Kernel

  • Debian

  • Debian Linux

  • RHEL

  • Red Hat

  • CentOS

  • Fedora

Add Credentials

Tap on the key icon in the asset details screen for any probe-discovered asset to add credentials directly against the asset instead of having credentials mapped to the probe itself.

...

...

Add Microsoft Edge and Teams to Patching

...

Ref : https://cybercns.freshdesk.com/a/tickets/53913

...

Patching Errors and Troubleshooting

Memory Issues

If an asset does not have enough memory an error may appear in logs:

...

How To Check Installed Software for Linux using OSQUERY

Info

We have this same info for Windows here How To: Use OSQuery to Validate Installed Software

For Linux based assets use the steps below. In this example, I am searching for a program called Thuderbird.

Open Terminal

Navigate to the below path

cd /opt/CyberCNSAgent/

​Run the osqueryi

sudo ./osqueryi_linux

Execute the queries below

SELECT name,name as full_name,version,arch,release,source as install_source from deb_packages where name like "%thunder%";

SELECT name,name as full_name,version,arch,release,source as install_source from rpm_packages where name like "%thunder%";

Share this output with the support team

...

Remediated Vulnerabilities Still Showing in the Portal

  1. Make sure a recent scan has been completed

  2. Use the OSQUERY to determine application details

How To: Use OSQuery to Validate Installed Software

Info

NOTE: If both the old and new versions are present in the osqueryi output, follow these steps to clear the data. This issue could be caused by an incomplete removal of the application. If the installation location is still present, the information will be further analyzed and reported. Since there is no installed location or source path, only the uninstall string is available. This issue could be resolved by clearing the registry information.

How To: Search Registry for Uninstall Strings

...

Scan Issues

SNMP Scan Issues

Solution 1: For Version 1 and Version 2 

  1. Download the file using the link below
    https://betadev.mycybercns.com/agents/net-snmp-5.5.0-2.x64.exe 

  2. Open PowerShell as administrator

  3. Navigate to the download location and run the below command
    --> Start-Process net-snmp-5.5.0-2.x64.exe** 

  4. Follow the installation steps and install the SNMPwalk 

  5. Run the below command in PowerShell and share the output with us.
    --> snmpwalk -v1 -c snmpstring targetIP
    for example, snmpwalk -v1 -c public 192.168.0.1
    --> snmpwalk -v2c -c snmpstring targetIP
    for example, snmpwalk -v2c -c public 192.168.0.1
    -version 2 -community_string public -ip 

...

Solution 2: All 3 versions of SNMP 

Here are the troubleshooting steps for validating SNMP communication in PowerShell:

  1. Download the validation tool from the provided link:
    https://betadev.mycybercns.com/agents/snmp/validatesnmp.exe 

  2. Run PowerShell as Administrator: 

  3. Navigate to the location where the downloaded file is located, and open PowerShell as an administrator. 

  4. Execute the validation command:

For SNMP version 1:
.\validatesnmp.exe -version 1 -community_string <string> -ip <targetip> 

For SNMP version 2:
.\validatesnmp.exe -version 2 -community_string <string> -ip <targetip> 

For SNMP version 3:
.\validatesnmp.exe -version 3 -security_name <username> -auth_protocal <auth_protocol> -auth_password <auth_password> -privacy_protocol <priv_protocol> -privacy_password <priv_passsword> -ip <targetip> 

Replace <string> with the SNMP community string for SNMP v1 or v2, <targetip> with the IP address of the target device, <securityname> with the SNMPv3 username, <auth_protocol> with the authentication protocol (e.g., MD5 or SHA), <auth_password> with the authentication password, <priv_protocol> with the privacy protocol (e.g., AES or DES), and <priv_password> with the privacy password. 

...

Windows Asset Credential Scan Issues (SMB)

You can validate the credentials from the probe agent machine by following the below steps: 

  1. Download validate smb.exe from the link below.
    https://betadev.mycybercns.com/agents/validatesmb/validatesmb.exe 

  2. Run the Command

  3. Open PowerShell as an administrator

  4. Navigate to the location of the file and run the appropriate command based on your asset type: 

For a Domain Asset: 

 .\validatesmb.exe validatesmb <IP> <domain(FQDN)> <user> <password> 
Sample: .\validatesmb.exe validatesmb 10.0.0.202 hash.local admin cc@#$123ns 

For a Workgroup Asset: 

 
.\validatesmb.exe validatesmb <IP> '""' <user> <password> 
Sample: 
.\validatesmb.exe validatesmb 10.0.0.202 '""' trator cc@#$123ns 

If the validate SMB fails, you can verify it using the run window from the agent machine. Please initiate Windows run and enter the IP address after the admin$, click enter, and verify that you can access the remote asset admin$. It will prompt you to enter the credential, please enter the valid credential. 

for e.g. \\192.168.1.1\admin$ 

...

Active Directory AD Scan Issues

Ensure correct information is added, such as:

  1. The IP address in the DC name to avoid any DNS lookup issues

  2. FQDN in the domain name and the username without a domain or ".\" 

...

NMAP Requirements for Linux and MAC

Step 1: wget https://nmap.org/dist/nmap-7.95-2.x86_64.rpm
Step 2: sudo apt-get install alien
Step 3: sudo alien nmap-7.95-2.x86_64.rpm
Step 4: sudo dpkg --install nmap_7.95-3_amd64.deb

...

NMAP Scan Issues

If the nmap is not determining any assets, follow the below steps to troubleshoot:

  1. Open the command prompt as an administrator on the agent machine. 

  2. Navigate to the CyberCNS agent folder cd "C:\Program Files (x86)\CyberCNSAgent\nmap" 

  3. Run the nmap command 

.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --exclude-ports 9100-9120,515,6101,631,59100,10001,9400,9500,9999,1058,721-731,1023,2000,2501,2503,3001,6869 --script auth,vuln,discovery,safe,ssl* <targetIP-range> 

Info

Note: Please update the <targetIP-range> with the IP range that you are scanning and share with us the printed output by emailing to support@connectsecure.com or attaching to an open ticket

Sample command: 

.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --exclude-ports 9100-9120,515,6101,631,59100,10001,9400,9500,9999,1058,721-731,1023,2000,2501,2503,3001,6869 --script auth,vuln,discovery,safe,ssl* 192.168.1.1/24 

...

Firewall Scan - Error Connecting to Server

If you encounter a firewall scan error when connecting to the server, it may be due to communication or a bad username and password. Please verify that the firewall is communicable from the Probe agent machine via SSH or API. 

...

AD Audit Scan Issues / Alerts Not Running

Run the script below 

ActiveDirectory_AuditEnable_GPO-Policy.zip 

Modify a user/computer/security group and verify if alerts are coming correctly. 

...

Pending Jobs Issues - Force Stop Pending Jobs and Update Agent

Please follow the steps below on the agent machine to force-stop all pending jobs and ensure that new jobs are triggered immediately.

Step-1: Download and copy the file in the agent folder

https://agentv3.myconnectsecure.com/agentcheck.exe

Step-2: Stop the agent service by executing the powershell command

net stop cybercnsagent

net stop cybercnsagentmonitor

Step-3: Delete the data from the pendingjobqueue directory located in the agent folder "C:\Program Files (x86)\CyberCNSAgent"
Step-4: navigate to the agent folder and execute the agent check
cd "C:\Program Files (x86)\CyberCNSAgent

...

Run the nmap command 

.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --exclude-ports 9100-9120,515,6101,631,59100,10001,9400,9500,9999,1058,721-731,1023,2000,2501,2503,3001,6869 --script auth,vuln,discovery,safe,ssl* <targetIP-range> 

Info

Note: Please update the <targetIP-range> with the IP range that you are scanning and share with us the printed output by emailing to support@connectsecure.com or attaching to an open ticket

Sample command: 

.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --exclude-ports 9100-9120,515,6101,631,59100,10001,9400,9500,9999,1058,721-731,1023,2000,2501,2503,3001,6869 --script auth,vuln,discovery,safe,ssl* 192.168.1.1/24 

Firewall Scan - Error Connecting to Server

If you encounter a firewall scan error when connecting to the server, it may be due to communication or a bad username and password. Please verify that the firewall is communicable from the Probe agent machine via SSH or API. 

...

AD Audit Scan Issues / Alerts Not Running

Run the script below 

ActiveDirectory_AuditEnable_GPO-Policy.zip 

Modify a user/computer/security group and verify if alerts are coming correctly. "
.\agentcheck.exe
Step-5: start the agent service and then initiate the Validate credentials scans
net start cybercnsagent

net start cybercnsagentmonitor

...

ARM Shell Script - 32bit ARM Agent Upgrade

Steps to run the script:

  1. Login to the arm machine.

  2. run command - sudo su

  3. Copy the script sh file to the arm machine.

  4. run command - ./update_arm.sh

View file
nameupdate_arm.sh

...

Verify / Validate SNMP Creds

To verify SNMP credentials, follow these steps:
Download the SNMP validation executable from the following link:
https://betadev.mycybercns.com/agents/yohan/UtilityCompile/sample/cybercnsagent_linux_snmp_validation
​Copy the downloaded executable into the agent path: /opt/CyberCNSAgent/
Open terminal and Navigate to the agent directory: /opt/CyberCNSAgent/
Provide execution permissions to the downloaded file by using the chmod +x cybercnsagent_linux_snmp_validation
Run the executable using the following command:
./cybercnsagent_linux_snmp_validation <Target IP Address> <Community String>
If you receive data in the terminal, it means the credentials are valid. If no data appears, the credentials are invalid.

Or use the validate creds scanning

...

Ref: https://cybercns.freshdesk.com/a/tickets/50646

...

Validate Linux Probe Connection Using SNMP

  1. Install the SNMP tool.

sudo apt update
sudo apt install snmp snmp-mibs-downloader

  1. Run the below command in the terminal and share the output with us.
    snmpwalk -v1 -c snmpstring targetIP
    for example, snmpwalk -v1 -c public 192.168.0.1
    snmpwalk -v2c -c snmpstring targetIP
    for example, snmpwalk -v2c -c public 192.168.0.1

...

Dependencies for C++ and .NET Libraries

Many partners face problems and vulnerabilities in and around the Microsoft C++ and .NET framework libraries, which can be hard to track down and remove.

To identify and remove orphaned libraries, you can use tools like Dependency Walker for C++ and Assembly Binding Log Viewer for .NET to determine which libraries your applications use.

Tracking dependencies can be facilitated by tools such as NDepend or ReSharper for .NET, as well as static analysis tools like CppDepend for C++.

Once you have a clear picture of the dependencies, you can safely remove the libraries that are not in use.

...

Threatlocker: Ringfencing Blocking Patching

Ringfencing in ThreatLocker blocks Powershell scripts that try to reach unknown IPs/ FQDNs, so adding them to an allow list in ThreatLocker was necessary.

...

Bitdefender Total Security - Firewall Settings to Allow Patching

From the Protection Features menu, tap on Protection > Firewall Settings

...

Enable the ‘connectsecurepatch.exe’ to allow the patching executable

...

allow the patching executable

...

Firewalls: Sophos XG

Make sure the ‘API Configuration’ checkbox is enabled under the System > Backup & Firmware > API section

...

Azure SQL Server False Positive(s)

Detection based on NMAP

  1. Open PowerShell as Administrator

  2. Navigate to the agent NMAP folder

...

Share the results of this to our support team!

...

Validation for Mapped Credentials

Validation of Mapped credentials can be performed from the portal itself, and the same can be viewed in the cyberutilites.log located in the "C:\Program Files (x86)\CyberCNSAgent\logs

...

  1. Select the Validate Credential scan type and click on save 

...

Verify Windows Default Application Version Issue

Use the below command

Code Block
Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "appName"} 

Sample: Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "Microsoft.Microsoft3DViewer"} 

...

Enable SMB in Remote Host for Probe to Assess OS and Application Vulnerabilities

Run the below command on the reported host and initiate a scan.

...

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f 

...

Vulnerabilities for Browser Extension Program

To determine the issue with the browser extension, the below osqueryi can be executed 

...

Code Block
SELECT name, browser_type,version,path,sha1(name||path) as unique_id FROM chrome_extensions WHERE chrome_extensions.uid IN (SELECT uid FROM users) group by unique_id. 

...

V4 API General Information

V4 API Postman Collection

ConnectSecure API.postman_collection.json 

...

Prerequisites for General Scanning and Patching

Check out our full guide here: Agent Configurations

Create an exception to ConnectSecure primary executables and dependencies in the agent installation folder.

...

  • connectsecurepatch.exe 

  • cybercnsagent.exe 

  • cybercnsagent_arm 

  • cybercnsagent_darwin 

  • cybercnsagent_linux 

  • cybercnsagentmonitor.exe 

  • cyberutilities.exe 

  • firewall_configs.zip 

  • main.ps1 

  • nmap.zip 

  • osqueryi.exe 

  • osqueryi_darwin 

  • osqueryi_arm 

  • osqueryi_linux 

  • scripts.zip 

  • vcruntime140.dll 

...

TLS 1.0 Vulnerability False Positive

  1. Open PowerShell as an administrator on the reported agent machine

  2. Navigate to the Agent NMAP folder
    cd C:\Program Files (x86)\CyberCNSAgent\nmap\

  3. Run the below NMAP command
    .\nmap.exe --script ssl-enum-ciphers -p 3389 <Target_IP>

Capture that output and share it with our engineering teams.

...

Microsoft Entra ID Integration Errors

403 Error with

...

CSP Integration

Please make sure that the user for granting consent to the application is part of the Admin Agent Security Group and has the Azure AD legacy MFA enabled.consent to the application is part of the Admin Agent Security Group and has the Azure AD legacy MFA enabled.

...

Invalid Resource

AADSTS650057 look for this in URL

This error occurs when the client application is trying to access a resource (API or service) that is not included in the application's registered permissions within Azure Active Directory (AAD).

...

Why Default Pre/Installed Patched Applications Still Showing

To verify the Windows default application version issue, the below command can be used:

...

Sample: Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "Microsoft.Microsoft3DViewer"} 

...

Getting Password Alert/User Login Alerts with Bad Password Attempt

We do password brute force attempts with our nmap and the snmp scanning below shows the usernames that are used.

...

Info

NOTE: Any users other than the ones provided in the list above is outside the purview of ConnectSecure and are not detected or supported for alerting

...

Patched Assets Not Listed

For the Windows version related to "KB" security patch-related issues and queries? Run the below and share the output from the reported machine. 

  1. wmic qfe get HotfixID | findstr /v HotFixID 

  2. $UpdateSession = New-Object -ComObject "Microsoft.Update.Session"; $UpdateSearcher = $UpdateSession.CreateUpdateSearcher(); $Results = $UpdateSearcher.Search("IsInstalled=1"); $updates = ForEach($update in $Results.Updates) {"KB"+[String]$update.KBArticleIDs}; $updates 

  3. Also, please run the below queries in PowerShell as Administrator and share the output with us 
    -> Navigate to CyberCNSAgent folder 
    cd "C:\Program Files (x86)\CyberCNSAgent" 
    -> Run the below command 
    .\osqueryi.exe 

  4. select  CONCAT('KB',replace(split(split(title, 'KB',1),' ',0),')','')) as hotfix_id,description, datetime(date,'unixepoch') as install_date,'' as installed_by,'' as installed_on from windows_update_history where title like '%KB%' group by split(split(title, 'KB',1),' ',0); 

  5. select hotfix_id,description,installed_by,install_date,installed_on from patches group by hotfix_id; 

...

Active Directory Data Not Loading (OU, Users, Computers, GPO)

Please execute the below scripts and send the output for our team to debug:

...

Is Reboot Required?

Run the below script and verify the reboot status:

Validate_reboot_required.ps1 

...

Cyberutilities.log Errors When SMB Not Enabled

The error: "failed to connect to '192.1.0.1:445': [winerror 10060] a connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond"}
2024-08-05 15:38:07,098 INFO smbClient execute_exec 665 SMB scan completed for 192.168.163.62 with status 0 output  err CyberCNS Agent 

Note: For the above error customer must enable the SMB protocol on the remote host 

...

Enable SMB Communication with PowerShell Commands

These commands will help set SMB to True and help successfully scan an asset.

...

  • reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

...

ConnectSecure V4 Agent Update Script

This script can help with basic troubleshooting when the agent is not showing online and will ensure the CyberCNSAgent.exe is validated and running the latest version.

...

Note

You must replace and update the 'x' with your Company and Tenant ID

image-20240502-155621.png

...

Error Installing vc_dist.x86.exe

Install the "VC_redist.x86.exe" manually from the cybercns agent folder and verify by initiating the scan once. The file is in "C:\Program Files (x86)\CyberCNSAgent\nmap". 

...

Lightweight Agent Not Converting to Probe- Error Installing npcap.exe

Install the "npcap.exe" manually by downloading it using the link below and verify by initiating the scan once. 

https://npcap.com/dist/npcap-1.79.exe 

...

Error SMB Enabled but Username or Password Invalid

Port 445(SMB):- Error in validating AD Credentials:- response error: The attempted logon is invalid. This is either due to a bad username or authentication information. Port 636(LDAPS):- LDAP Result Code 200 "Network Error": read tcp 10.0.1.154:50974->10.0.1.153:636: wsarecv: An existing connection was forcibly closed by the remote host. Port 389(LDAP):- LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09050E, comment: AcceptSecurityContext error, data 52e, v4f7c 

Check Agent Offline Status

How To: Check Agent Offline Status

Patching Zoom Application System Restart/Reboot

To de-bug check Event Viewer logs in agent machine.154:50974->10.0.1.153:636: wsarecv: An existing connection was forcibly closed by the remote host. Port 389(LDAP):- LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09050E, comment: AcceptSecurityContext error, data 52e, v4f7c 

...

Check Agent Offline Status

How To: Check Agent Offline Status

...

Patching Zoom Application System Restart/Reboot

To de-bug check Event Viewer logs in agent machine.

...

Having Old Software Installers / Executables a Problem

Potential Issues with Old Executables

  1. Residual Vulnerabilities: If the old Teams executables contain vulnerabilities, they might still be exploitable by an attacker even if newer, patched versions are installed.

  2. Execution by Accident or Malice: Old executables might be executed accidentally by users or scripts, or they might be targeted by attackers who know where they are located.

  3. Inconsistent System State: Having multiple versions of the same software can lead to confusion and operational issues, especially if different components expect different versions.

  4. Increased Attack Surface: Each executable on your system is a potential attack vector. Reducing the number of outdated or unnecessary executables reduces the attack surface.

...

Credential Scan failing

Please use validate SMB process

...