NDR Threat Detection and Response page is Throwing Error While Expanding a Malware Detection Event
search cancel

NDR Threat Detection and Response page is Throwing Error While Expanding a Malware Detection Event

book

Article ID: 383601

calendar_today

Updated On: 12-07-2024

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

We observe the below error when expanding malware detection events in the NDR Detections page

"We encountered an issue while loading detected file information. The requested entity was not found". while expanding the detection"

Environment

This issue specifically impacts NDR environments, particularly those where both NDR and MPS (Malware Prevention Service) are deployed. It is more likely to occur in larger network environments with frequent malware detections, where malicious files may be detected multiple times within the same calendar month.

Cause

The issue arises due to an error in time range handling when processing file detections. When the same file is detected multiple times within the same month, but with a gap of more than two days, the NDR backend fails to update the end timestamp of the earlier detection event correctly. Instead, the new detection overwrites the previous file detection, leading to the absence of the earlier file information when queried in the UI.

This overwriting issue, combined with improper error handling for missing detection events, may result in a crashloop in the "nsx-ndr-worker-detection-event-scorer" deployment when it tries to access the missing file detection information. The worker repeatedly crashes until the erroneous message expires from Kafka.

Resolution

The issue has been resolved with the following fixes :

Time Handling Fix : The backend now properly handles time ranges when storing detected files, ensuring that if the same file is detected multiple times within the same month, it will update the previous event instead of overwriting it.

Error Handling Improvement : Error handling for cases where a detection event is not found has been improved. Instead of causing a crash, the system now handles the error gracefully, preventing the NDR worker from entering a crashloop.

Please upgrade to NAPP 4.2.0.1 to fix this issue. Note that after the upgrade, the error may still be visible in UI when displaying older file detections, that were detected before the upgrade, but it will not occur for new file detections.

Powered by Wolken Software