Agents Introduction

Purpose

This document provides an introduction to Outpost24 Agents.

Introduction

The standard Agent reports its information back to OUTSCAN, regardless where in the world that endpoint is located. If it has an Internet connection, it will report back its vulnerability information.

How Does the Agents Work?

The Agent installs on to the system and calls home to the API regularly. When doing so they may receive information about a schedule, which they remember and plan their scanning according to. As the time of a scheduled scan arrives, they run the scan and once done submitting the results to the API. Failing to submit to the API will leave the results around for the next call home.

Compliance Scanning is not possible on agents.

Scanning Window

The scanning window is set to 24 hours for agents since OUTSCAN prioritize scheduled scans before agent scans. Also the agent discovery window is set to 24 hours.

What Rights are Needed?

The Agent installs as a fully privileged service and are able to access the full registry (when running on Windows).

Agent Resource Consumption

It can not be said exactly how much resources agents will consume until it runs on the target. Usage majorly depends on how much there is to scan on the target and the number of targets.

CPU

When completely idle, the agent consumes a very small amount of clock cycles since it is only waiting to be woken up by a timer when it should attempt a call-home or do a scan.

When not waiting, it can do one out of two things:

Run a scan
Perform a Call-home

Calling home may consume a decent amount of CPU related to encrypting and sending traffic to the agent server.

Running a scan is very likely to consume 100% of a single core for a while. The duration depends on how much the scan is going to find. Our tools does some enumeration tasks and the more data is present, the more data will need to be processed, thus increasing the duration and the amount of necessary clock cycles. Currently this process is limited to a single core because of the utilities we are using.

The entire agent is configured to have low CPU priority, and unless other programs are configured to use low priority as well, the agent will not compete for clock cycles with other programs.

RAM & Disk

This depends heavily on the amount of data the agent is going to find when running a scan. Each unit of processing being done (varies on the task, some stream, some do not) must be stored in memory. Generally this is relatively little, for example each registry key being extracted and analyzed is flushed to disk before the next is fetched, thus reducing RAM usage, but sometime we need to read larger amount of data into memory. The agent should not spike significantly in memory usage.

Similarly, the data being extracted during scanning is stored on disk until the next call-home. The amount of data stored follows the same rules as RAM usage. However, only the latest scan data is being stored and does not accumulate more data over time even if a call-home is missed. Log data do however accumulate over time if not able to call home.

Network

Network usage is dependent on the amount of data needed to be sent during a call-home (general size of scan result) and how often it will have data to send (depend on the configured schedules). Do keep in mind that if an agent is part of multiple schedules, it will scan once for each schedule and then upload the scan result independently for these schedules as well.

License Consumption Information

To see the number of licenses being consumed:

Navigate to Main Menu > Settings > Account.

Click on the License tab.

In the Agent Information area, the number of Registered, Scanned and Outdated agents are displayed.

Option	Description
Agent registered	Shows the number of registration agents.
Agent scanned	Shows the number of scanned agents.
Agent outdated	Shows how many assets are running an outdated Agent version, indicating the number of Agents need updating.

Note

An agent is considered as any other scan and therefor licensed as such. An agent that performs a scan will require one (1) license from your license pool. When an asset is also being scanned from an external scanner it also will require a license. If an agent AND a external scanner both scans the same asset, it will require two (2) licenses as it is seen as two (2) different assets.

Firewall Set Up For Agents

The agents need access to the Agent Server to:

Enroll the Agent
Retrieve the schedule and instructions
Upload the scan results such as inventory of software and configuration
Upload logs

Configure the firewall accordingly.

Service	Destination	Port	Protocol	Direction	Description
Agent communication	teddysalad.outpost24.com (Agent Server)	443	HTTPS	Outbound	Enrollment, Scheduling, Scan results, Logs

On What Priority is the Agent Running?

The agent consume negligible resources when not scanning since it is waiting on two timers; the call home timer and the scan schedule timer. When scanning, it use what it needs from the system. Scanning consists of evaluation of commands (psh/sh), slight file I/O, and registry access on Windows.
Since the agent is running as idle priority on Windows and on other systems it is running with niceness 16 by default, it will only use resources when the OS says there is nothing better to do with them.
See https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setpriorityclass:

IDLE_PRIORITY_CLASS
0x00000040
Process whose threads run only when the system is idle. The threads of the process are preempted by the threads of any process running in a higher priority class. An example is a screen saver. The idle-priority class is inherited by child processes.

Agent Results Retention Policy

Retention policy for agent results is set to 30 days, reducing the risk of outdated data during scans. That means that if no new data has been uploaded within the last 30 days, the scans fails, ensuring a better accuracy of the results.