Malwarebytes Endpoint Detection and Response endpoint is displaying the needs attention indicator . Click the indicator to see the message. If you receive the following error message:
"EDR Kernel module is not running."
Then this is due to the following reasons:
- Kernel module is not installed due to missing Dynamic Kernel Module Support (DKMS) or Kernel headers dependencies.
- An unexpected crash or kernel driver malfunction.
Check the Endpoint Detection and Response logs in '/var/log/com.malwarebytes.edr.log' for detailed information.
Check for kernel module errors
Run this command to see if the module is correctly installed on your system:
- $ sudo modinfo mbedr_drv
Below are the possible outputs and resolutions:
Output | Resolution |
ERROR: Module mbedr_drv not found. The kernel module has not been built on the system. |
|
ERROR: could not get modinfo from 'mbedr_drv': No such file or directory |
EDR VERSION: The current Endpoint Detection & Response plugin version. To find this, see Agent Information in Malwarebytes Nebula |
Output: filename: /lib/modules/XXXXX-generic/updates/dkms/mbedr_drv.ko |
|
Signing a kernel module
Systems with Unified Extensible Firmware Interface (UEFI) and Secure Boot enabled may require kernel modules to be cryptographically signed by a key trusted through the kernel. To sign the mbedr_drv module:
- Create a sign key with OpensSSL.
- openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"
- Sign the module.
- sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n mbedr_drv)
- Import the Machine Owner Key (MOK).
- sudo mokutil --import MOK.der
- Reboot.
- Follow distribution documentation on enrolling MOK.