IBM Support

QRadar EDR: Agent version 3.11.1 or higher failure on Windows Endpoint.

General Page

This article provides solutions for potential issues during the upgrade to version 3.11.1 or higher, ensuring a smooth transition for users.

Upgrade Failure

Common Failure Scenario
 
Diagnosis:
​​​​​​
  • The occurrence of a "Signature check failed" event often indicates an upgrade failure.
  • This failure is typically caused by an incomplete certificate chain on the Windows side. Specifically, general certificates might be missing on the endpoint.
     
In case the agent version 3.11.0 fails upgrade to 3.11.1 or any of the versions that came after 3.11.1. It is suggested to use the threat hunt feature and execute the following query:
 
ui

You can narrow the query down by filtering for the affected endpoint names and groups.

 
Examine the log results to compare and match them with the examples: 
2023-11-0915:15:17    XXXXXX
Custom Event No ProcessAutomatic Update
Component: hive-installer Failed to validate Signature
2023-11-0915:14:01    XXXXXX
Custom Event No ProcessAutomatic Update
Component: hive-installer Failed to validate Signature

Resolution Steps:

  1. Update Windows:
    Ensure that the Windows is up to date to the last version available. An upgrade can fix the issue related to the required certificates.
  2. Support Intervention
    If upgrading Windows does not resolve the issue or if you run into problems with the upgrade, open a support case. The support team provides the necessary certificates to resolve the issue and enable a successful upgrade.

Upgrade Prerequisites for 3.11.1 and above

Importance of Sequential Upgrades

  • Mandatory Upgrade Path: To successfully upgrade to version 3.11.1 or the higher versions, it is crucial to first upgrade to 3.11.0. This sequence is required for all endpoints under 3.11.0.

Initiating the Upgrade Process

  • Uploading to Dashboard: The new update version must be uploaded into your Update Manager on dashboard.
  • Deployment Readiness: Ensure that the update is ready to deploy without any errors displayed on the dashboard.

Upgrade Process

  • Sequential Enablement: From the Update Manager on dashboard, first enable version 3.11.0 for each endpoint(If not already upgraded). Upon completion of this update, proceed to update to version 3.11.1 or any version higher.
  • Avoiding Conflicts: Enabling the versions 3.11.0 and any versions higher, simultaneously for an endpoint, results in a conflict, which prevents the endpoint from upgrading.

Group Strategy

  • For Challenging Cases: You can group the endpoints. Enable version 3.11.1 or higher available version, only for groups that are already on version 3.11.0. Once the rest update to 3.11.0, they can be collectively upgraded to 3.11.1 or the most recent version available.
     

Note: 3.11.0 is responsible for digital signature renewal and hence is a mandatory passage to upgrade to 3.11.1 or higher.
For detailed information refer to QRadar EDR: Updating to the Latest Windows Agent Release

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSOO77","label":"IBM Security QRadar EDR"},"ARM Category":[{"code":"a8m3p000000F8zKAAS","label":"Content Update"},{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 December 2023

UID

ibm17091343

Page Feedback