Endpoint Detection and Response (EDR) endpoint is displaying the needs attention indicator . Click the indicator to see the message. If you receive the following error message:
"EDR Kernel module is not running."
Then this is due to the following reasons:
- Kernel module is not installed due to missing Dynamic Kernel Module Support (DKMS) or Kernel headers dependencies.
- An unexpected crash or kernel driver malfunction.
Check the EDR logs in '/var/log/com.malwarebytes.edr.log' for detailed information. For information on generating logs, see Collect Endpoint Agent diagnostic logs.
Check for kernel module errors
Run this command to see if the module is correctly installed on your system:
- $ sudo modinfo mbedr_drv
Below are the possible outputs and resolutions:
Output | Resolution |
ERROR: Module mbedr_drv not found. The kernel module has not been built on the system. |
|
ERROR: could not get modinfo from 'mbedr_drv': No such file or directory |
EDR VERSION: The current EDR plugin version. To find this, see Nebula architecture. |
Output: filename: /lib/modules/XXXXX-generic/updates/dkms/mbedr_drv.ko |
|
Signing a kernel module
Systems with Unified Extensible Firmware Interface (UEFI) and Secure Boot enabled may require kernel modules to be cryptographically signed by a key trusted through the kernel.
Red Hat based distro's (Red Hat, Centos, Rocky, Fedora)
- Verify Secure Boot is on with the following command:
sudo mokutil --sb-state
- Open terminal and run the following commands:
$ cd /var/lib/dkms
$ ls -l- Look for two files, mok.key and mok.pub. These are the public and private keys to insert on your Secure Boot. You should also see the mbedr_drv directory.
- Enter the following command and create a temporary password to add to the mok.pub key:
mokutil --import mok.pub
- Reboot the machine.
- Press a button when prompted to enter the Machine Owner Key (MOK) Manager EFI utility.
- Select Enroll MOK > Continue > Yes.
- Enter the password added in step 3 and select OK to reboot the machine again.
- Verify the kmod is running with the following command:
$ sudo modprobe mbedr_drv
Debian based distro's (Ubunutu, PopOs) and other distro's
- Verify Secure Boot is on with the following command:
sudo mokutil --sb-state
- Generate a personal RSA key pair, consisting of both public and private keys to sign the kernel modules. You can choose to store the key/pair, for example, in the /var/lib/shim-signed/mok directory:
$ sudo mkdir -p /var/lib/shim-signed/mok
$ sudo openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "/var/lib/shim-signed/mok/MOK.priv" -out "/var/lib/shim-signed/mok/MOK.der" -subj "/CN=MODULE/"- If the second command fails, then /usr/lib/ssl/openssl.cnf file is not found in that directory. Some distributions place it in the /etc directory instead.
- To locate the correct path, use the following command
find . -name "openssl.cnf"
$ sudo chmod 600 /var/lib/shim-signed/mok/*
- Enroll the public key MOK.der to MOK create a temporary password to enroll the private key with the following commands:
$ sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
input password:
input password again: - Check if your key will be prompted on the next boot with the following command:
$ sudo mokutil --list-new
- It will print the public key to insert on the secure boot screen at the next reboot.
- Reboot the machine.
- Press a button when prompted to enter the MOK Manager EFI utility.
- Select Enroll MOK > Continue > Yes
- Enter the password created in step 2 select OK to reboot the computer.
- Run the following command
$ modinfo mbedr_drv
- You will see an output like this
filename: /lib/modules/6.5.6-arch2-1/updates/dkms/mbedr_drv.ko
version: 0.0.87
...
- You will see an output like this
- Retrieve the file name path and navigate into it, for example:
cd /lib/modules/6.5.6-arch2-1/updates/dkms/
- Sign the module with the following command:
$ sudo /lib/modules/$(uname -r)/build/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der mbedr_drv.ko
- Verify the kmod is running with the following command:
$ sudo modprobe mbedr_drv