RSA ECAT Host Re-imaged while in Contained State can't be removed from Database

Issue

Containment allows the administrator inside ECAT UI to isolate specific systems that are noted for being infected. If the infected system has its agent uninstalled or the whole system is re-imaged without first disabling containment, the system cannot be removed from the UI.

Cause

The cause is based on two changes to the NWE agents status.
The first is the option to remove the machine (Remove Selection from the Database) is intentionally disabled in the UI to prevent deleting isolated machines.
This is combined with the second condition which prevents containment from stopping when selecting to stop it in the UI; since the agent must check in to stop containment in the UI, a machine no longer present will never check back, leaving the machine unable to be removed or be changed in the UI.

Resolution

The resolution to this issue is to disable the containment factor in the database using a SQL statement:

1. Obtain the Agent ID of the agent in the UI.  See in the NWE UI, Machines, Properties of the affect machine, Agent ID.
2. Then run the below SQL statement in SQL Server Management Studio against the the ECAT$PRIMARY database:
  3. Take note of the number in the PK_Machines column. This matches the number in the FK_Machines column in the associated table.
4. Take the number acquired in step 3 and apply it in place of X in the below statement to remove containment (note we are assuming the name of the database is ECAT$PRIMARY, if not change the first line to the name of the appropriate database):

Product Details

Netwitness Product Set: ECAT, NetWitness Endpoint
Netwitness Product/Service Type: ECAT
Netwitness Version/Condition: 4.3.0.x
Platform: Windows

Summary

Containment fails following the uninstallation of the NWE agent, or re-imaging of the endpoint machine.

Approval Reviewer Queue

Technical approval queue