search

elastic / security-docs

Elastic Security Documentation
Other
68 stars 181 forks source link

Document how to troubleshoot/disable Endpoint's self healing feature on Windows #2830

Open ferullo opened 1 year ago

ferullo commented 1 year ago

Description

Endpoint has a self healing feature on Windows at the Enterprise subscription level (@roxana-gheorghe can you confirm I got the subscription level right?). When enabled, Endpoint will undo recent file system changes when prevention alerts are triggered. This feature uses Windows's Volume Snapshot Service service. Although it is uncommon for this to cause issues on computers, users can disable this Endpoint feature if needed.

There are two reasons Endpoint may use the Volume Snapshot Service. The first is if Enterprise users use the advanced policy option windows.advanced.alerts.rollback.self_healing.enabled to enable the prevention feature. If it was enabled and is causing issues it needs to be turned back off.

Endpoint may also use the Volume Snapshot Service as a part of Elastic's effort to ensure the feature works properly even when it isn't in enforcement mode. Users can explicitly opt out of that by setting the windows.advanced.diagnostic.rollback_telemetry_enabled option to false.

Notes

Can we document this as a new Endpoint troubleshooting page, unless there is somewhere else this information may be more relevant?

cc @nfritts @bit-envoy @joe-desimone to correct me if anything I stated is wrong.

roxana-gheorghe commented 1 year ago

One small note: self-healing is available for Platinum and Enterprise subscription level.

joepeeples commented 1 year ago

Endpoint may also use the Volume Snapshot Service as a part of Elastic's effort to ensure the feature works properly even when it isn't in enforcement mode. Users can explicitly opt out of that by setting the windows.advanced.diagnostic.rollback_telemetry_enabled option to false.

@ferullo Could you explain a bit more what "isn't in enforcement mode" means here? Is it just when the rollback feature is disabled (windows.advanced.alerts.rollback.self_healing.enabled is false or blank), or is there another setting specifically for "enforcement mode"? Thanks!

ferullo commented 1 year ago

Yeah I meant disabled, I should have just said that 😄

111andre111 commented 1 year ago

Just to mention that documenting as well that Volume Snapshot Service technique is used for this sounds like a good idea.

Would be good to get some drive on that one. Thanks a lot.

If from this issue the resulting docs page would be another one, linking these together with: https://www.elastic.co/guide/en/security/8.9/self-healing-rollback.html