[Security Solution] Cannot disable Malware protection with Basic License in ELK 8.4.3

[RainbowHerbicides]

Describe the bug:
Malware protection could not be disabled after update to 8.4.3 or possible to 8.4.x (was only discovered recently but user reports that 8.3.x worked fine). After setting toggle to disable and attempt to save integrated policy -> receive error "Requires Platinum license"

Kibana/Elasticsearch Stack version:
8.4.3/8.4.3 Basic License

Server OS version:
Non applicable

Browser and Browser OS versions:
Non applicable - error can be reproduced on any modern browser

Elastic Endpoint version:
Endpoint Security v8.4.1

Original install method (e.g. download page, yum, from source, etc.):
Docker container from official repo

Steps to reproduce:
Exact steps is not known but possibly:

1. Have ELK instance version 7.x with Fleet and Endpoint Security set up and installed
2. Set "Malware protection" to "enabled" and "Detect" options + save.
3. Perform gradual update to major versions up to 8.4.3 for all ELK stack
4. Try to edit integrated policy by setting "Malware protection" to "disabled" and save
5. Fail

Current behavior:
Cannot disable Malware protection in integrated policy

Expected behavior:
Malware protection disabled and policy saved + applied

Screenshots (if relevant):

1. Trying to edit this policy
   

2. Initial state is - Malware protection enabled
   

3. Setting state to - Malware protection disabled
   

4. Trying to save but receive this error
   

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

[2022-11-11T12:12:14.427+00:00][WARN ][plugins.securitySolution] Incorrect license tier for paid policy fields
[2022-11-11T12:12:14.427+00:00][ERROR][plugins.fleet] Error: Requires Platinum license
    at validatePolicyAgainstLicense (/usr/share/kibana/x-pack/plugins/security_solution/server/fleet_integration/handlers/validate_policy_against_license.js:20:26)
    at /usr/share/kibana/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.js:90:71
    at PackagePolicyService.runExternalCallbacks (/usr/share/kibana/x-pack/plugins/fleet/server/services/package_policy.js:724:30)
    at updatePackagePolicyHandler (/usr/share/kibana/x-pack/plugins/fleet/server/routes/package_policy/handlers.js:244:52)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Router.handle (/usr/share/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/router.js:163:30)
    at handler (/usr/share/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/router.js:124:50)
    at exports.Manager.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:371:32)
    at Request._execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:281:9)

Any additional context (logs, chat logs, magical formulas, etc.):
Error looks like a duplicate of #86073 but in reverse #86402 since I cannot disable it

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)

[kevinlog]

@RainbowHerbicides thanks for filing this issue. Sorry that you are running into a bug.

I wasn't able to reproduce this yet in my local tests. Can you provide some additional information to help us debug?

1. Since you are upgrading the stack, I'm thinking that there is a Policy migration issue. Can you confirm that the affected Policy existed in the 7.x versions of the stack and has gone through several upgrades?
2. Can you create a brand new policy and see if you are able to disable Malware? If it's a migration problem, creating a brand new policy should work as expected with the basic license.
3. Can you provide the yml configuration for the affected Policy? This will help us see which settings could be causing a problem. you can do this by doing the below.

Go to the affected Policy in Fleet and click "View Policy".

Find the endpoint input

You can either c/p the policy section here:

Or you can just click "Download policy" and share it.

The most important part of the policy for us to look at will look something like the below:

    policy:
      windows:
        events:
          dll_and_driver_load: false
          dns: false
          file: false
          network: false
          process: true
          registry: false
          security: false
        malware:
          mode: prevent
          blocklist: true
        ransomware:
          mode: 'off'
          supported: false
        memory_protection:
          mode: 'off'
          supported: false
        behavior_protection:
          mode: 'off'
          supported: false
        popup:
          malware:
            enabled: true
            message: ''
          ransomware:
            enabled: false
            message: ''
          memory_protection:
            enabled: false
            message: ''
          behavior_protection:
            enabled: false
            message: ''
        logging:
          file: info
        antivirus_registration:
          enabled: false
        attack_surface_reduction:
          credential_hardening:
            enabled: false
      mac:
        events:
          process: true
          file: false
          network: false
        malware:
          mode: prevent
          blocklist: true
        behavior_protection:
          mode: 'off'
          supported: false
        memory_protection:
          mode: 'off'
          supported: false
        popup:
          malware:
            enabled: true
            message: ''
          behavior_protection:
            enabled: false
            message: ''
          memory_protection:
            enabled: false
            message: ''
        logging:
          file: info
      linux:
        events:
          process: true
          file: false
          network: false
          session_data: false
          tty_io: false
        malware:
          mode: prevent
          blocklist: true
        behavior_protection:
          mode: 'off'
          supported: false
        memory_protection:
          mode: 'off'
          supported: false
        popup:
          malware:
            enabled: true
            message: ''
          behavior_protection:
            enabled: false
            message: ''
          memory_protection:
            enabled: false
            message: ''
        logging:
          file: info

[RainbowHerbicides]

@kevinlog Thank you for your reply. Unfortunately, I cannot provide precise information regarding when this policy had been changed and at which versions but I can provide information when it was created (at which ELK stack version - we keep all components at the same one during update)

1. According to my records regarding works that had been done against ELK - Fleet integration with test policy (that become production one) had been added at 7.17 and survived update to 8.0.0 -> 8.1.0 -> 8.1.1 -> 8.2.0 -> 8.2.1 -> 8.2.2 -> 8.3.0 -> 8.4.0 -> 8.4.3 (and currently on this version). Some minor versions had been skipped due to no breaking changes or deprecations had been present
2. I will check with responsible team. They probably will implement this workaround
3. Sure thing - policy is already on 12 revision:

    policy:
      linux:
        behavior_protection:
          mode: 'off'
          supported: false
        popup:
          behavior_protection:
            enabled: false
            message: ''
          malware:
            enabled: true
            message: ''
          memory_protection:
            enabled: false
            message: ''
        malware:
          mode: detect
          blocklist: true
        advanced:
          event_filters:
            default: false
          fanotify:
            ignore_unknown_filesystems: false
        logging:
          file: info
        events:
          process: true
          session_data: false
          file: true
          network: true
        memory_protection:
          mode: 'off'
          supported: false
      windows:
        behavior_protection:
          mode: 'off'
          supported: false
        popup:
          behavior_protection:
            enabled: false
            message: ''
          malware:
            enabled: true
            message: ''
          ransomware:
            enabled: false
            message: ''
          memory_protection:
            enabled: false
            message: ''
        malware:
          mode: detect
          blocklist: true
        attack_surface_reduction:
          credential_hardening:
            enabled: false
        advanced:
          event_filters:
            default: false
        logging:
          file: info
        antivirus_registration:
          enabled: false
        events:
          registry: true
          process: true
          security: true
          file: true
          dns: true
          dll_and_driver_load: true
          network: true
        ransomware:
          mode: 'off'
          supported: false
        memory_protection:
          mode: 'off'
          supported: false
      mac:
        behavior_protection:
          mode: 'off'
          supported: false
        popup:
          behavior_protection:
            enabled: false
            message: ''
          malware:
            enabled: true
            message: ''
          memory_protection:
            enabled: false
            message: ''
        malware:
          mode: detect
          blocklist: true
        advanced:
          event_filters:
            default: false
        logging:
          file: info
        events:
          process: true
          file: true
          network: true
        memory_protection:
          mode: 'off'
          supported: false

[kevinlog]

@RainbowHerbicides thank you for the information. I was able to pinpoint the problem. As I suspected, the issue was a bad migration. I put up a fix for this, however, you can unblock yourself now by creating a new Endpoint Policy from scratch and updating settings in the Endpoint integration to match the old Policy.

I would suggest first creating a new Agent Policy without any Agents assigned to it. Then add the new Elastic Defend integration (this is the what the Endpoint Security integration is called now, the functionality and policy options are the same). Get that Policy set up and then reassign your Agents to the new Policy. This will ensure that there isn't a gap in protection when you switch policies.

Let me know if that works

[RainbowHerbicides]

@kevinlog I would like to apologise, I completely forgot about this issue. Yes, creation of new policy helped, so I will close this issue