HX Tool Dashboard Unable to Load Complete Data

Question

HX Tool Dashboard Unable to Load Complete Data

Closed this issue 2 years ago · 21 comments

Hi,

I have been using the HX Tool and I have seen that the Antivirus Dashboard does not load any data on the Endpoints With Anti-Virus Content Version, Endpoints With Anti-Virus Engine Version and Status Of Anti-Virus On Endpoints portions.

Is this a know issue?

Answer 1 · 2022-08-02T19:56:57.000Z

Hi @firefox5566 -
It should load anti-virus information just fine, if you have agents with the A/V engine enabled. Are you seeing an issue with agents that have the engine enabled?

Thanks,
Elazar

Answer 2 · 2022-08-03T11:22:23.000Z

Hi @B0fH,

A\V engine is enabled on our endpoints and we can confirm that on our monthly audits via scan reports. The attached image is what we are seeing on the HX Tool interface under "Antivirus Dashboard": (no data is being populated)

Answer 3 · 2022-08-03T11:22:44.000Z

Hi @B0fH,

A\V engine is enabled on our endpoints and we can confirm that on our monthly audits via scan reports. The attached image is what we are seeing on the HX Tool interface under "Antivirus Dashboard": (no data is being populated)

Answer 4 · 2022-08-03T16:58:42.000Z

Hi @firefox5566 -
That is odd. How many agents do you have on the controller overall. Additionally, are there any errors in the console window that HXTool is running under and/or hxtool.log?

Thanks,
Elazar

Answer 5 · 2022-08-04T01:38:38.000Z

Hi @B0fH,

We have 50k plus endpoints. In terms or error, I am not sure if this matters but I can see KeyError: 'TP' and other info like the image below:

Answer 6 · 2022-08-05T14:19:44.000Z

Hi @B0fH,

I can send you the HXTool logs if you want.

Answer 7 · 2022-08-08T14:59:29.000Z

Hi @firefox5566 -
Yes, that'd be appreciated. It looks like we're failing to parse some data - those key errors are likely why those dashboards aren't loading.

Thanks,
Elazar

Answer 8 · 2022-08-08T16:54:29.000Z

Hi @B0fH,

How do you want me to send the logs, do you want it via email or via secure file link?

Answer 9 · 2022-08-09T15:41:45.000Z

Hi @firefox5566 -
Thank you for sending the log file, it is much appreciated. The 'TP' key error is due to Tamper Protection missing as an alert type in alert_types.json. I've went ahead and added it. Can you replace your copy of this file with the new one and restart HXTool?

Thanks,
Elazar

Answer 10 · 2022-08-09T15:53:30.000Z

Hi @B0fH,

Thank you for this.

I have now replaced the file with that and restarted HXTool however I am still not seeing any info on the Antivirus Dashboard as seen on the image below:

Answer 11 · 2022-09-05T12:11:18.000Z

Hi @B0fH,

I have inspected on the AV Dashboard and found the info below:

For the "Latest Anti-Virus Alerts", it is showing a successful connection which would explain why the data are showing:

For the Malware Content "Endpoints With Anti-Virus Content Version", Malware Version "Endpoints With Anti-Virus Engine Version" and Malware Status "Status Of Anti-Virus On Endpoints", all are showing the same info:

It appears that the connection or the request timed-out.

Do you have any insights on this?

Kindly advise.

Answer 12 · 2022-09-05T12:24:22.000Z

Hi @B0fH,

I am seeing this as well.

Kindly advise.

Thank you!

Answer 13 · 2022-09-05T13:08:23.000Z

Hi @B0fH,

We are also seeing these errors:

Answer 14 · 2022-09-05T14:20:18.000Z

We are also having these sorts of errors:

Answer 15 · 2022-09-05T20:12:34.000Z

Hi @B0fH,

I have now figured this out.

This was related to the (ret, response_code, response_data) = hx_api_object.restListHosts(limit=100). This was originally set to (limit=100000) which I believe takes to much time to query. I have tested and changed it to (limit=100) and the dashboard is showing data as seen on the image below:

Answer 16 · 2022-09-05T21:31:33.000Z

Hi @B0fH,

Is there a possible way to improve this to be able to query a lot quicker and cater higher limits? Or what would be the behavior if we do not set a limit on this? Looks like the limit that I can set in order for the info to be displayed on the dashboard is 100.

Answer 17 · 2022-09-15T18:18:14.000Z

Hi @firefox5566 -
Changing the limit to 100 will restrict the chart to the first 100 agents returned by the controller. That said, I posted a potential fix to my branch here: 95c5883. You can grab a raw copy here: https://raw.githubusercontent.com/fireeye/HXTool/elazar-changes/hxtool_api.py, replace you existing hxtool_api.py and restart HXTool. Let me know if that resolves the issue.

Thanks,
Elazar

Answer 18 · 2022-09-19T16:25:58.000Z

Hi @B0fH,

The data is still not loading and I am getting these warnings:

Kindly advise.

Thank you.

Answer 19 · 2022-09-19T17:41:43.000Z

Hi @B0fH,

Looks like that there are a lot of devices that do not have MalwareProtectionStatus on the sysinfo that was being pulled which is causing some errors. The code will skip these errors right and just pull the ones that have valid information// data on the response data?

Answer 20 · 2022-09-29T01:41:49.000Z

Hi @firefox5566 -
Please let me know if the changes in #114 resolve this issue.

Thanks,
Elazar

Answer 21 · 2022-09-29T15:34:45.000Z

Closing per out of band confirmation from @firefox5566 that the issue has been resolved.