Rule groups are removed if installer checks fail and generate Rule Group Sanity Check errors
Last Modified: 2024-01-23 13:18:17 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Rule groups are removed if installer checks fail and generate Rule Group Sanity Check errors
Technical Articles ID:
KB90596
Last Modified: 2024-01-23 13:18:17 Etc/GMT Environment
Application and Change Control (ACC) 8.x
Problem
Rule groups are removed when SHA-1 is missing from checksum rules. When SHA-1 is missing from the checksum rules, the Rule Group Sanity Check generates errors.
Cause
The issue is with Solidcore Rules, Installers. When a new installer is added, you can define both SHA-1 and SHA-256, only SHA-1, or only SHA-256. Currently, SHA-1 is always required because it has a unique constraint on SQL. The procedure that inserts a value into the database checks if SHA-1 exists. If it exists, the other values are updated using the same SHA-1, because it's unique. If SHA-1 does not exist, all values are inserted. So, if a new installer is created without SHA-1, it's inserted with an empty value under SHA-1 the first time. The second time, it's not inserted. Instead, the previous value with no SHA-1 is updated, the task fails, and all rule groups are deleted. NOTE: Run Rule Group Sanity Check only if all installers have SHA-1. This task doesn't have to be run after every upgrade; it's optional to fix the inconsistencies in the rule group. Solution
The ACC 8.2.1.121 Hotfix 1 Extension corrects this issue. Technical Support recommends that you upgrade the extension to this version. See the Release Notes for more information. For product documents, go to the Product Documentation portal.
Workaround
Run the following query against the database and determine whether any lines are returned:
WHERE CHECKSUM IS NULL OR CHECKSUM LIKE '' When the query has been run against the database and returns no lines, remove and reinstall the Solidcore extension or upgrade it. If you can't upgrade or reinstall the extension, contact Technical Support. To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
Affected ProductsLanguages:This article is available in the following languages: |
|