Targeted Attack Analytics service failed to get Cynic credentials

book

Article ID: 171960

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Attempts to register Targeted Attack Analytics (TAA) service using a Symantec License File (.slf) fail within the User Interface (UI) of Advanced Threat Protection (ATP) Platform.

  • System Activity Logs display one or more events with eventid: 1000 and event: "Targeted Attack Analytics service failed to get Cynic credentials"
  • System Activity Logs display one or more events with eventid: 1000 and event: "Failed to upload license file to Targeted Attack Analytics service for..."
  • UI Logging shows submit_to_sandbox command result as ERROR_REQUEST_TIMEOUT for every attempt to send files to Cynic service for analysis.

 

Cause

From Symantec Engineering reproduction in test lab:

  • These symptoms occur if proxy configuration settings become corrupt in a low level configuration file for Cynic service.
  • This form of low level config file corruption may occur during the upgrade from ATP Platform 3.0.5 to 3.1.0.
  • Upgrading ATP from 3.1.0 to 3.2.0 will not cause this condition, nor will it repair this condition.

Environment

A proxy is specified in the ATP global settings

The upgrade history of the ATP management server or ATP AllInOne includes upgrade from ATP 3.0.5 to ATP 3.1.0.

Resolution

Symantec resolved this issue in the next version of ATP Platform software. Please upgrade to Symantec Endpoint Detection and Response 4.0.0.

 

To workaround

  1. In the ATP UI, navigate to Settings> Appliances
  2. Click on the appliance with the Management role
  3. Scroll down to Network Proxy
  4. If "Use default" is checked, return to the Settings> Appliances page, then click "Edit Default Appliance"
  5. Remove and re-add the settings for the network proxy

 

After the issue is resolved, to confirm that TAA events arrive at ATP from SEP clients, at the SEP client, type:

start cmd /k echo TAA-EICAR:EicarActor

An event delivery from the SEP client to ATP/SEDR depends on the idle state of the machine thus we can't define the time parameters of the event delivery to ATP/SEDR. We are working to improve this in future by improving SEP client throttling mechanism.