05-29-2024 02:39 PM
We have several machines that are now reporting "Partially Protected" when we enabled Certificate Enforcement on them.
First they started to show "Local-Store fallback used" in audit logs (informational severity), now we see "Failed to enable certificate enforcement due to local-store fallback" high severity messages and a Partially Protected Operational status for the hosts.
I am seeing policy and content updates coming through just fine, and the hosts stay connected to the portal.
1) What exactly does Partially Protected status mean for hosts with this particular problem?
2) How is this issue fixed?
05-29-2024 10:37 PM
Hello @rufat87 ,
Thank you for reaching out on Live Community.
Enabling the feature, makes the agent not to use the Local Root CA certificate Store anymore and use only the pinned roots.pem certificate file, this way protecting from Man In The Middle (MITM) attacks.
Please check in Endpoints Tab, there is a Last Certificate Enforcement Fallback field. If you find the values appearing there that means the Agent is not using the root.pem certificate and falling back to local store.
Once you enable the feature, the agent starts with learning mode phase. Failure to pass the learning mode results into agent stay in Partially Protected until the feature is disabled.
Please ensure that you are not decrypting the agent traffic or SSL inspection is not enabled in your proxy or VPN. You can open a TAC case for further support.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".
05-30-2024 07:02 AM
You have not really answered on what protection for the host is now partial? What protection modules are disabled for such hosts?
Is disabling Certificate Enforcement for such hosts a feasible solution - temporarily or permanently?
05-30-2024 07:13 AM
It seems you didn't notice the below statement:
Once you enable the feature, the agent starts with learning mode phase. Failure to pass the learning mode results into agent stay in Partially Protected until the feature is disabled.
As you have mentioned the error is "Failed to enable certificate enforcement due to local-store fallback". That means Certificate enforcement is not enabled and instead of root.pem , the agent is using Local store certificate which is not recommended. Hence, partially protected.
The solution is not disabling the policy, it is finding out why it is falling back. The reason may be that, you are decrypting the agent traffic or SSL inspection is enabled in your proxy or VPN.
Hence, please open a TAC support case to troubleshoot further.
Hope this helps.
05-30-2024 11:01 AM - edited 05-30-2024 11:01 AM
No, I have read your comment.
So it is falling back to use local cert which is "not recommended" and therefore is becoming vulnerable to possible "Man In The Middle (MITM) attacks". That's the only reason XDR is tagging these as Partially Protected, everything else works just fine in regards to prevention modules and operationally.
We will investigate this further with TAC, thanks for response.
05-30-2024 09:13 PM
That's right. Hope this get resolve asap.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
