V4 Troubleshooting FAQ Table of Contents
Checking Logs and Default Installation Paths
The default installation path:
Windows: C:\Program Files (x86)\CyberCNSAgent
MacOS/Linux: /opt/CyberCNSAgent
The default path for the logs:
Windows: C:\Program Files (x86)\CyberCNSAgent\logs
MacOS/Linux: /opt/CyberCNSAgent/logs
The default log files:
cybercns.log (main)
cybercns_monitor.log
cyberpatch.log (patching)
How To Check Installed Software for Linux using OSQUERY
We have this same info for Windows here How To: Use OSQuery to Validate Installed Software
For Linux based assets use the steps below. In this example, I am searching for a program called Thuderbird.
Open Terminal
Navigate to the below path
cd /opt/CyberCNSAgent/
​Run the osqueryi
sudo ./osqueryi_linux
Execute the queries below
SELECT name,name as full_name,version,arch,release,source as install_source from deb_packages where name like "%thunder%";
SELECT name,name as full_name,version,arch,release,source as install_source from rpm_packages where name like "%thunder%";
Share this output with the support team
Remediated Vulnerabilities Still Showing in the Portal
Make sure a recent scan has been completed
Use the OSQUERY to determine application details
How To: Use OSQuery to Validate Installed Software
NOTE: If both the old and new versions are present in the osqueryi output, follow these steps to clear the data. This issue could be caused by an incomplete removal of the application. If the installation location is still present, the information will be further analyzed and reported. Since there is no installed location or source path, only the uninstall string is available. This issue could be resolved by clearing the registry information.
Scan Issues
SNMP Scan Issues
Solution 1: For Version 1 and Version 2
Download the file using the link below
https://betadev.mycybercns.com/agents/net-snmp-5.5.0-2.x64.exeOpen PowerShell as administrator
Navigate to the download location and run the below command
--> Start-Process net-snmp-5.5.0-2.x64.exe**Follow the installation steps and install the SNMPwalk
Run the below command in PowerShell and share the output with us.
--> snmpwalk -v1 -c snmpstring targetIP
for example, snmpwalk -v1 -c public 192.168.0.1
--> snmpwalk -v2c -c snmpstring targetIP
for example, snmpwalk -v2c -c public 192.168.0.1
-version 2 -community_string public -ip
Solution 2: All 3 versions of SNMP
Here are the troubleshooting steps for validating SNMP communication in PowerShell:
Download the validation tool from the provided link:
https://betadev.mycybercns.com/agents/snmp/validatesnmp.exeRun PowerShell as Administrator:
Navigate to the location where the downloaded file is located, and open PowerShell as an administrator.
Execute the validation command:
For SNMP version 1:
.\validatesnmp.exe -version 1 -community_string <string> -ip <targetip>
For SNMP version 2:
.\validatesnmp.exe -version 2 -community_string <string> -ip <targetip>
For SNMP version 3:
.\validatesnmp.exe -version 3 -security_name <username> -auth_protocal <auth_protocol> -auth_password <auth_password> -privacy_protocol <priv_protocol> -privacy_password <priv_passsword> -ip <targetip>
Replace <string> with the SNMP community string for SNMP v1 or v2, <targetip> with the IP address of the target device, <securityname> with the SNMPv3 username, <auth_protocol> with the authentication protocol (e.g., MD5 or SHA), <auth_password> with the authentication password, <priv_protocol> with the privacy protocol (e.g., AES or DES), and <priv_password> with the privacy password.
Windows Asset Credential Scan Issues (SMB)
You can validate the credentials from the probe agent machine by following the below steps:
Download validate smb.exe from the link below.
https://betadev.mycybercns.com/agents/validatesmb/validatesmb.exeRun the Command
Open PowerShell as an administrator
Navigate to the location of the file and run the appropriate command based on your asset type:
For a Domain Asset:
.\validatesmb.exe validatesmb <IP> <domain(FQDN)> <user> <password>
Sample: .\validatesmb.exe validatesmb 10.0.0.202 hash.local admin cc@#$123ns
For a Workgroup Asset:
.\validatesmb.exe validatesmb <IP> '""' <user> <password>
Sample:
.\validatesmb.exe validatesmb 10.0.0.202 '""' trator cc@#$123ns
If the validate SMB fails, you can verify it using the run window from the agent machine. Please initiate Windows run and enter the IP address after the admin$, click enter, and verify that you can access the remote asset admin$. It will prompt you to enter the credential, please enter the valid credential.
for e.g. \\192.168.1.1\admin$
Active Directory AD Scan Issues
Ensure correct information is added, such as:
The IP address in the DC name to avoid any DNS lookup issues
FQDN in the domain name and the username without a domain or ".\"
NMAP Scan Issues
If the nmap is not determining any assets, follow the below steps to troubleshoot:
Open the command prompt as an administrator on the agent machine.
Navigate to the CyberCNS agent folder cd "C:\Program Files (x86)\CyberCNSAgent\nmap"
Run the nmap command
.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --exclude-ports 9100-9120,515,6101,631,59100,10001,9400,9500,9999,1058,721-731,1023,2000,2501,2503,3001,6869 --script auth,vuln,discovery,safe,ssl* <targetIP-range>
Note: Please update the <targetIP-range> with the IP range that you are scanning and share with us the printed output by emailing to support@connectsecure.com or attaching to an open ticket
Sample command:
.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --exclude-ports 9100-9120,515,6101,631,59100,10001,9400,9500,9999,1058,721-731,1023,2000,2501,2503,3001,6869 --script auth,vuln,discovery,safe,ssl* 192.168.1.1/24
Firewall Scan - Error Connecting to Server
If you encounter a firewall scan error when connecting to the server, it may be due to communication or a bad username and password. Please verify that the firewall is communicable from the Probe agent machine via SSH or API.
AD Audit Scan Issues / Alerts Not Running
Run the script below
ActiveDirectory_AuditEnable_GPO-Policy.zip
Modify a user/computer/security group and verify if alerts are coming correctly.
Validate Linux Probe Connection Using SNMP
Install the SNMP tool.
sudo apt update
sudo apt install snmp snmp-mibs-downloader
Run the below command in the terminal and share the output with us.
snmpwalk -v1 -c snmpstring targetIP
for example, snmpwalk -v1 -c public 192.168.0.1
snmpwalk -v2c -c snmpstring targetIP
for example, snmpwalk -v2c -c public 192.168.0.1
Dependencies for C++ and .NET Libraries
Many partners face problems and vulnerabilities in and around the Microsoft C++ and .NET framework libraries, which can be hard to track down and remove.
To identify and remove orphaned libraries, you can use tools like Dependency Walker for C++ and Assembly Binding Log Viewer for .NET to determine which libraries your applications use.
Tracking dependencies can be facilitated by tools such as NDepend or ReSharper for .NET, as well as static analysis tools like CppDepend for C++.
Once you have a clear picture of the dependencies, you can safely remove the libraries that are not in use.
Threatlocker: Ringfencing Blocking Patching
Ringfencing in ThreatLocker blocks Powershell scripts that try to reach unknown IPs/ FQDNs, so adding them to an allow list in ThreatLocker was necessary.
Bitdefender Total Security - Firewall Settings to Allow Patching
From the Protection Features menu, tap on Protection > Firewall Settings
Enable the ‘connectsecurepatch.exe’ to allow the patching executable
Firewalls: Sophos XG
Make sure the ‘API Configuration’ checkbox is enabled under the System > Backup & Firmware > API section
Azure SQL Server False Positive(s)
Detection based on NMAP
Open PowerShell as Administrator
Navigate to the agent NMAP folder
(IE: cd "C:\Program Files (x86)\CyberCNSAgent\nmap")
Run the command
.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --script auth,vuln,discovery,safe,ssl* <targetIP>
Share the results of this to our support team!
Validation for Mapped Credentials
Validation of Mapped credentials can be performed from the portal itself, and the same can be viewed in the cyberutilites.log located in the "C:\Program Files (x86)\CyberCNSAgent\logs"
Navigate to the agents > Probe Agent > click on the agent action > select Scan
Select the Validate Credential scan type and click on save
Verify Windows Default Application Version Issue
Use the below command
Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "appName"}
Sample: Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "Microsoft.Microsoft3DViewer"}
Enable SMB in Remote Host for Probe to Assess OS and Application Vulnerabilities
Run the below command on the reported host and initiate a scan.
These commands will help set SMB as True and help successfully scan an asset.
-> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
-> Set-NetFirewallRule -DisplayName "File And Printer Sharing (SMB-In)" -Enabled true -Profile Any
-> Set-NetFirewallRule -DisplayName "File And Printer Sharing (NB-Session-In)" -Enabled true -Profile Any
For Windows 11
Additionally, add below registry key post enabling SMB for Windows 11 to get information using SMB:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Vulnerabilities for Browser Extension Program
To determine the issue with the browser extension, the below osqueryi can be executed
Open PowerShell as an administrator
Step 1:
If the asset is scanned by a lightweight agent
cd "C:\Program Files (x86)\CyberCNSAgent"
If the asset is scanned by a probe agent
cd "C:\Windows\CyberCNSAgent"
Step 2:
.\osqueryi.exe
Step 3: Run this query with the app name:
SELECT name, browser_type,version,path,sha1(name||path) as unique_id FROM chrome_extensions WHERE chrome_extensions.uid IN (SELECT uid FROM users) group by unique_id.
V4 API General Information
V4 API Postman Collection
ConnectSecure API.postman_collection.json
Prerequisites for General Scanning and Patching
Create an exception to ConnectSecure primary executables and dependencies in the agent installation folder.
Windows - C:\Program Files (x86)\CyberCNSAgent"
Linux - /opt/CyberCNSAgent
Mac - /opt/CyberCNSAgent
Ports used for communication include:
Windows - SMB protocol - Port 445
Linux, Mac, and VMware - SSH protocol - Port 22 and any custom port defined in the credentials
Firewall scan - SSH and API - Port 22 and 443 and any custom port defined in the credentials)
Network devices & VMware - SNMP protocol - ports 161, 162
ConnectSecure primary executables include:
connectsecurepatch.exe
cybercnsagent.exe
cybercnsagent_arm
cybercnsagent_darwin
cybercnsagent_linux
cybercnsagentmonitor.exe
cyberutilities.exe
firewall_configs.zip
main.ps1
nmap.zip
osqueryi.exe
osqueryi_darwin
osqueryi_arm
osqueryi_linux
scripts.zip
vcruntime140.dll
TLS 1.0 Vulnerability False Positive
Open PowerShell as an administrator on the reported agent machine
Navigate to the Agent NMAP folder
cd C:\Program Files (x86)\CyberCNSAgent\nmap\Run the below NMAP command
.\nmap.exe --script ssl-enum-ciphers -p 3389 <Target_IP>
Capture that output and share it with our engineering teams.
403 Error with Microsoft Entra ID CSP Integration
Please make sure that the user for granting consent to the application is part of the Admin Agent Security Group and has the Azure AD legacy MFA enabled.
Why Default Pre/Installed Patched Applications Still Showing
To verify the Windows default application version issue, the below command can be used:
Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "appName"}
Sample: Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "Microsoft.Microsoft3DViewer"}
Getting Password Alert/User Login Alerts with Bad Password Attempt
We do password brute force attempts with our nmap and the snmp scanning below shows the usernames that are used.
The brute force scan will be performed by the Probe agent, and our lightweight agent does not have the nmap, so it will not do any network vulnerability scanning.
This is based on the SMB, RDP, and SNMP ports that our agent, by default, scans for brute force passwords to attempt to ensure that they have a strong password set up as a part of our network vulnerability scanning and is listed under the network vulnerability if anything is discovered. you can avoid this issue by excluding ports 445, 3389, etc. from scanning.
Please find below the list of usernames that we use for brute-force password scanning.
root
admin
administrator
webadmin
sysadmin
netadmin
guest
user
web
test
SNMP String
public
private
admin
NOTE: Any users other than the ones provided in the list above is outside the purview of ConnectSecure and are not detected or supported for alerting
Patched Assets Not Listed
For the Windows version related to "KB" security patch-related issues and queries? Run the below and share the output from the reported machine.
wmic qfe get HotfixID | findstr /v HotFixID
$UpdateSession = New-Object -ComObject "Microsoft.Update.Session"; $UpdateSearcher = $UpdateSession.CreateUpdateSearcher(); $Results = $UpdateSearcher.Search("IsInstalled=1"); $updates = ForEach($update in $Results.Updates) {"KB"+[String]$update.KBArticleIDs}; $updates
Also, please run the below queries in PowerShell as Administrator and share the output with us
-> Navigate to CyberCNSAgent folder
cd "C:\Program Files (x86)\CyberCNSAgent"
-> Run the below command
.\osqueryi.exeselect CONCAT('KB',replace(split(split(title, 'KB',1),' ',0),')','')) as hotfix_id,description, datetime(date,'unixepoch') as install_date,'' as installed_by,'' as installed_on from windows_update_history where title like '%KB%' group by split(split(title, 'KB',1),' ',0);
select hotfix_id,description,installed_by,install_date,installed_on from patches group by hotfix_id;
Active Directory Data Not Loading (OU, Users, Computers, GPO)
Please execute the below scripts and send the output for our team to debug:
Is Reboot Required?
Run the below script and verify the reboot status:
Cyberutilities.log Errors When SMB Not Enabled
The error: "failed to connect to '192.1.0.1:445': [winerror 10060] a connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond"}
2024-08-05 15:38:07,098 INFO smbClient execute_exec 665 SMB scan completed for 192.168.163.62 with status 0 output err CyberCNS Agent
Note: For the above error customer must enable the SMB protocol on the remote host
Enable SMB Communication with PowerShell Commands
These commands will help set SMB to True and help successfully scan an asset.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
Set-NetFirewallRule -DisplayName "File And Printer Sharing (SMB-In)" -Enabled true -Profile Any
Set-NetFirewallRule -DisplayName "File And Printer Sharing (NB-Session-In)" -Enabled true -Profile Any
Additionally, add below registry key post enabling SMB for Windows 11 to get information using SMB:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
ConnectSecure V4 Agent Update Script
This script can help with basic troubleshooting when the agent is not showing online and will ensure the CyberCNSAgent.exe is validated and running the latest version.
Tap the file below to grab the script:
You must replace and update the 'x' with your Company and Tenant ID
Error Installing vc_dist.x86.exe
Install the "VC_redist.x86.exe" manually from the cybercns agent folder and verify by initiating the scan once. The file is in "C:\Program Files (x86)\CyberCNSAgent\nmap".
Lightweight Agent Not Converting to Probe- Error Installing npcap.exe
Install the "npcap.exe" manually by downloading it using the link below and verify by initiating the scan once.
https://npcap.com/dist/npcap-1.79.exe
Error SMB Enabled but Username or Password Invalid
Port 445(SMB):- Error in validating AD Credentials:- response error: The attempted logon is invalid. This is either due to a bad username or authentication information. Port 636(LDAPS):- LDAP Result Code 200 "Network Error": read tcp 10.0.1.154:50974->10.0.1.153:636: wsarecv: An existing connection was forcibly closed by the remote host. Port 389(LDAP):- LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09050E, comment: AcceptSecurityContext error, data 52e, v4f7c
Check Agent Offline Status
How To: Check Agent Offline Status
Patching Zoom Application System Restart/Reboot
To de-bug check Event Viewer logs in agent machine.
Credential Scan failing
Please use validate SMB process
Please download the executable to help check for SMB status for assets getting scanned via Probe agent.
https://betadev.mycybercns.com/agents/validatesmb/validatesmb.exe
Open PowerShell as an administrator
Run below command on the probe agent system
For Domain joined asset:
>> .\validatesmb.exe validatesmb IP domain username password
Example
>> .\validatesmb.exe validatesmb 10.0.0.202 abc.com administrator abcd@987#
For workgroup asset:
>>.\validatesmb.exe validatesmb IP '""' username password
Example
>>.\validatesmb.exe validatesmb 10.0.0.202 '""' administrator abcd@987#