Countercept (MDR) client is not visible in the Countercept portal after installation

Issue:

WithSecure Managed Detection and Response (MDR) client has been installed to a server but the device is not shown / visible in the WithSecure Countercept portal.

Resolution:

The Countercept MDR client requires a network connection to operate properly. It silently collects activity from the endpoint on which it is installed and then submits a representation of this data to the WithSecure backend.

To guarantee proper transmission, the endpoints need to be able to communicate over HTTP and HTTPS with various subdomains owned by WithSecure ( formerly F-Secure)

*.f-secure.com (ports 80 and 443)
*.fsapi.com (port 443)

Also, the client's response functionality requires access to the following domains in Amazon Web Services:

ac3ujg1ortm4c-ats.iot.eu-west-1.amazonaws.com (port 443, Windows 7 and 2012: port 8883)
c3hquxgihnj763.credentials.iot.eu-west-1.amazonaws.com (port 443)
ew1-famp-prd-system-transfer.s3.eu-west-1.amazonaws.com (port 443)

You must also allow connections to the digicert.com domain as well, as the Windows API may need to verify WithSecure services that are signed with a certificate that is issued by Digicert.

It is also recommended to run our Connectivity Checker tool to determine what addresses are needed to be open in your firewall: https://download.sp.withsecure.com/connectivitytool/ConnectionChecker.exe

The issue could also be related to certificates. Do reinstall the certs and reboot the server for the changes to take effect. Do check that these certificates in the host are valid:

USERTrust RSA Certification Authority	USERTrust RSA Certification Authority	2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e	https://crt.sh/?id=1199354
AAA Certificate Services	AAA Certificate Services	d1eb23a46d17d68fd92564c2f1f1601764d8e349	https://crt.sh/?id=331986
DigiCert Trusted Root G4	DigiCert Trusted Root G4	ddfb16cd4931c973a2037d3fc83a4d7d775d05e4	https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

If connectivity and certificates are OK, make sure that you have the required Azure Code Signing (ACS) Windows updates installed on the server or workstation: Changes in support on Microsoft Windows – Minimum patch level. - WithSecure Community. Without Azure Code Signing support, the Ultralight Core update will fail to install which will lead to fsatpn.exe and fsatpl.exe processes not being able to start.

Ensure your system time is accurate, or certificate validation will fails. Many crypto functions depend on accurate time keeping to function properly.

Lastly, be sure to use only supported versions of the Countercept installer. Recommended best practice is to always use the latest installer available.

If you have check all the above and the issue still persists, please create WSDIAG log file from the client and attach it to during Technical Support Ticket creation.

Article no: 000037473