Last edited by Draiden 11 May 2023 15:16.

Last edited by Draiden 10 May 2023 18:49.

Last edited by Draiden 04 May 2023 21:16.

442776453acb58e276.png

So its been awhile. I tooked my vacay and came back saw this alert from my 2nd layer SIEM.
does EDR intentionaly going to turn off firewall?

And maybe this is why my EDR agent Icon got red dots?

966976453b03508bab.png


EDIT:

I found out that during CC+ES correlation when triggered ES will do deep scan. So since its hosted on a server, agent needs ask for turning it off while doing some errunds.

Thanks guys!

EDIT:

Case solved. Just clumsy after a long vacation..

CLELUQMAN has solved this question and earned 40 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins, 20 coins of bounty and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

have u solve this? i think the EDR turn off the firewall is temporary , maybe it is updating or scanning.
Is this answer helpful?
Draiden Lv2Posted 05 May 2023 14:44
  
I have solved the image below.. (notifications only) But the upper image is kinda worries me.
Can anyone send me a working legit hash for edr_monitor and edr_agent?
Farina Ahmed Lv5Posted 08 May 2023 13:54
  
It is possible that the EDR agent or other security software on the endpoint is conflicting with the firewall or causing the firewall to malfunction. This could be a result of misconfiguration or compatibility issues between the two security solutions.

The red dots on the EDR agent icon could indicate that there is a problem with the EDR agent or that it is not communicating properly with the security console or server. This could be due to several factors, including connectivity issues, software conflicts, or other configuration problems.

To investigate this issue, you may need to review the logs and alerts from your SIEM and EDR systems, as well as any other security software that is installed on the affected endpoint. You may also want to check for any known compatibility issues or software conflicts between the EDR agent and firewall solutions. Additionally, you may need to involve your IT team or vendor support to help diagnose and resolve the issue.
faysalji Lv3Posted 08 May 2023 14:14
  
The command mentioned, "netsh advfirewall set allprofiles state off," is used to disable the Windows Firewall for all network profiles (Domain, Private, and Public). It turns off the firewall protection, allowing all incoming and outgoing network traffic without any filtering or blocking.

However, it's important to note that disabling the Windows Firewall can expose your computer or network to potential security risks. The firewall acts as a barrier between your system and the outside network, helping to prevent unauthorized access and protecting against malicious threats.

If you choose to disable the firewall temporarily for troubleshooting purposes or other specific reasons, make sure to take appropriate precautions, such as ensuring that your computer is not directly connected to the internet or being used in an insecure network environment.

After you have completed your intended tasks, it is strongly recommended to enable the Windows Firewall or configure it to allow only necessary traffic based on your network security requirements. You can enable the firewall again using the command:

netsh advfirewall set allprofiles state on


Always prioritize the security of your system and network by implementing a comprehensive and robust security strategy.
RegiBoy Lv5Posted 08 May 2023 15:04
  
contact technical support
MISMIS Lv3Posted 08 May 2023 16:53
  
you may need to review the logs and alerts from your SIEM and EDR systems.
Milagros Lv2Posted 08 May 2023 17:27
  
You may need to analyze the logs and alarms from your SIEM and EDR systems, as well as any other security software installed on the impacted endpoint, to investigate this issue. Check for any known compatibility concerns or software conflicts between the EDR agent and firewall solutions as well. You may also need to enlist your IT staff or vendor assistance to help diagnose and address the problem.
CptArmando Lv2Posted 08 May 2023 17:33
  
You may need to analyze the logs and alarms from your SIEM and EDR systems, as well as any other security software installed on the impacted endpoint, to investigate this issue.
Donsadam Posted 08 May 2023 17:39
  
The presence of red dots on the EDR agent symbol might indicate that the EDR agent is malfunctioning or that it is not interacting correctly with the security dashboard or server.
Yboom Lv2Posted 08 May 2023 17:43
  
Please contact technical assistance.

I Can Help:

Change

Moderator on This Board

3
12
3

Started Topics

Followers

Follow

43
2
2

Started Topics

Followers

Follow

1
2
5

Started Topics

Followers

Follow

7
11
4

Started Topics

Followers

Follow

18
8
0

Started Topics

Followers

Follow

Trending Topics

Board Leaders