Endpoint Detection and Response endpoint is displaying the needs attention indicator . Click the indicator to see the message. If you receive the following error message:
"EDR Kernel module is not running."
Then this is due to the following reasons:
- Kernel module is not installed due to missing Dynamic Kernel Module Support (DKMS) or Kernel headers dependencies.
- An unexpected crash or kernel driver malfunction.
Check the Endpoint Detection and Response logs in '/var/log/com.malwarebytes.edr.log' for detailed information. For information on generating logs, see Collect Endpoint Agent diagnostic logs.
Check for kernel module errors
Run this command to see if the module is correctly installed on your system:
- $ sudo modinfo mbedr_drv
Below are the possible outputs and resolutions:
| Output | Resolution |
|
ERROR: Module mbedr_drv not found. The kernel module has not been built on the system. |
|
| ERROR: could not get modinfo from 'mbedr_drv': No such file or directory |
EDR VERSION: The current Endpoint Detection & Response plugin version. To find this, see Nebula architecture. |
|
Output: filename: /lib/modules/XXXXX-generic/updates/dkms/mbedr_drv.ko |
|
Signing a kernel module
Systems with Unified Extensible Firmware Interface (UEFI) and Secure Boot enabled may require kernel modules to be cryptographically signed by a key trusted through the kernel. To sign the mbedr_drv module:
- Create a sign key with OpenSSL.
- openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"
- Sign the module.
- sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n mbedr_drv)
- Import the Machine Owner Key (MOK).
- sudo mokutil --import MOK.der
- Reboot.
- Follow distribution documentation on enrolling MOK.
