IBM Support

QRadar EDR: Updating to the Latest Windows Agent Release (3.12.1 or later)

Troubleshooting


Problem

When running agents with versions earlier than 3.12.0, it is necessary to perform an initial update to version 3.12.0 before attempting to upgrade to a later 3.12.* version of the Windows agent release. Failure to do so results in agent updates encountering failures.

Symptom

Unable to update the Windows agent to the latest release. Despite the global activation of version 3.12.2, online endpoints are displaying a version in the 3.11.X or older range.

Cause

Update to Windows agent version 3.12.0 is mandatory due to a new code sign certificate used to sign the EDR binaries.

Environment

Windows agent in IBM QRadar EDR.

Diagnosing The Problem

In case the agent version fails upgrade to 3.12.1 or any higher versions, it is suggested to use the threat hunt feature and execute the following query:
image-20250127152831-1
Note: You can narrow the query down by filtering for the affected endpoint names and groups.
 
Examine the log results to compare and match them with the examples:
2025-01-2715:15:17    XXXXXX
Custom Event No ProcessAutomatic Update
Component: hive-installer Failed to validate Signature
2025-01-2715:14:01    XXXXXX
Custom Event No ProcessAutomatic Update
Component: hive-installer Failed to validate Signature

Resolving The Problem

To resolve the issue, initiate the update process by first upgrading to Windows agent version 3.12.0. Ensure that all versions higher than 3.12.0 are disabled in the update manager during this process. Once the update to 3.12.0 is completed, you can then proceed with the installation of higher agent versions.


Importance of Sequential Upgrades:

  • Mandatory Upgrade Path: To successfully upgrade to version 3.12.1 or the higher versions, it is crucial to first upgrade to 3.12.0. This sequence is required for all endpoints under 3.12.0.


Initiating the Upgrade Process:

  • Uploading to Dashboard: The new update version must be uploaded into your Update Manager on dashboard.
  • Deployment Readiness: Ensure that the update is ready to deploy without any errors displayed on the dashboard.


Upgrade Process:

  • Sequential Enablement: From the Update Manager on dashboard, first enable version 3.12.0 for each endpoint (if not already upgraded). Upon completion of this update, proceed to update to version 3.12.1 or any higher version.
  • Avoiding Conflicts: Enabling the versions 3.12.0 and any higher versions, simultaneously for an endpoint, results in a conflict, which prevents the endpoint from upgrading.


Group Strategy:

  • For Challenging Cases: Group the endpoints and enable version 3.12.1 or a higher available version, only for groups that are already on version 3.12.0. Once the rest update to 3.12.0, they can be collectively upgraded to 3.12.1 or the most recent version available.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSOO77","label":"IBM Security QRadar EDR"},"ARM Category":[{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 January 2025

UID

ibm17180461

Page Feedback