Agent - FAQ
Purpose
This document provides answers to frequently asked question around deploying the Outpost24 Agent.
Introduction
The standard Agent reports its information back to OUTSCAN, regardless where in the world that endpoint is located. If it has an Internet connection, it will report back its vulnerability information.
How does the agents work?
The Agent installs on to the system and calls home to the API regularly. When doing so they may receive information about a schedule, which they remember and plan their scanning according to. As the time of a scheduled scan arrives, they run the scan and once done submitting the results to the API. Failing to submit to the API will leave the results around for the next call home.
Note
Compliance Scanning is not possible on agents.
Scanning Window
The scanning window is set to 24 hours for agents since OUTSCAN prioritize scheduled scans before agent scans. Also the agent discovery window is set to 24 hours.
What rights are needed?
The Agent installs as a fully privileged service and are able to access the full registry (when running on Windows).
Agent resource consumption
Note
It can not be said exactly how much resources agents will consume until it runs on the target. Usage majorly depends on how much there is to scan on the target and the number of targets.
CPU
When completely idle, the agent consumes a very small amount of clock cycles since it is only waiting to be woken up by a timer when it should attempt a call-home or do a scan.
When not waiting, it can do one out of two things:
- Run a scan
- Perform a Call-home
Calling home may consume a decent amount of CPU related to encrypting and sending traffic to the agent server.
Running a scan is very likely to consume 100% of a single core for a while. The duration depends on how much the scan is going to find. Our tools does some enumeration tasks and the more data is present, the more data will need to be processed, thus increasing the duration and the amount of necessary clock cycles. Currently this process is limited to a single core because of the utilities we are using.
The entire agent is configured to have low CPU priority, and unless other programs are configured to use low priority as well, the agent will not compete for clock cycles with other programs.
RAM & Disk
This depends heavily on the amount of data the agent is going to find when running a scan. Each unit of processing being done (varies on the task, some stream, some do not) must be stored in memory. Generally this is relatively little, for example each registry key being extracted and analyzed is flushed to disk before the next is fetched, thus reducing RAM usage, but sometime we need to read larger amount of data into memory. The agent should not spike significantly in memory usage.
Similarly, the data being extracted during scanning is stored on disk until the next call-home. The amount of data stored follows the same rules as RAM usage. However, only the latest scan data is being stored and does not accumulate more data over time even if a call-home is missed. Log data do however accumulate over time if not able to call home.
Network
Network usage is dependent on the amount of data needed to be sent during a call-home (general size of scan result) and how often it will have data to send (depend on the configured schedules). Do keep in mind that if an agent is part of multiple schedules, it will scan once for each schedule and then upload the scan result independently for these schedules as well.
License consumption information
To see the number of licenses being consumed:
- Navigate to Main Menu > Settings > Account.
Click on the License tab.
In the Agent Information area, the number of Registered, Scanned and Outdated agents are displayed.Option Description Agent registered Shows the number of registration agents. Agent scanned Shows the number of scanned agents. Agent outdated Shows how many assets are running an outdated Agent version, indicating the number of Agents need updating.
Note
An agent is considered as any other scan and therefor licensed as such. An agent that performs a scan will require one (1) license from your license pool. When an asset is also being scanned from an external scanner it also will require a license. If an agent AND a external scanner both scans the same asset, it will require two (2) licenses as it is seen as two (2) different assets.
How to set up the firewall for agents
The agents need access to the Agent Server for:
- Enrolling the Agent
- Retrieving the schedule and instructions
- Uploading the scan results such as inventory of software and configuration
- Uploading logs
Configure the firewall accordingly.
Service | Destination | Port | Protocol | Direction | Description |
Agent communication | teddysalad.outpost24.com (Agent Server) | 443 | HTTPS | Outbound | Enrollment, Scheduling, Scan results, Logs |
On what priority is the agent running?
The agent consume negligible resources when not scanning since it is waiting on two timers; the call home timer and the scan schedule timer. When scanning, it use what it needs from the system. Scanning consists of evaluation of commands (psh/sh), slight file I/O, and registry access on Windows.
Since the agent is running as idle priority on Windows and on other systems it is running with niceness 16 by default, it will only use resources when the OS says there is nothing better to do with them.
See https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setpriorityclass:
IDLE_PRIORITY_CLASS 0x00000040 Process whose threads run only when the system is idle. The threads of the process are preempted by the threads of any process running in a higher priority class. An example is a screen saver. The idle-priority class is inherited by child processes.
Where do I download agents?
- Log in to OUTSCAN.
- Click on Main Menu > Support.
- Navigate to the Agents Installers tab.
How do I find the agent version?
Windows
- Open Control Panel.
- Click on Programs.
- Click Program and Features and search for agent.
Note
You can also open a PowerShell command as administrator and run the following command:
'C:\Program Files (x86)\Outpost24\Agent\agent.exe' --version
Linux
Login to your Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:
sudo o24-agent --version
How do I find new agents?
- Log in to OUTSCAN from which you downloaded the agent.
- Create a target group where you want your agents to end up.
- Create new Discovery scan schedule.
- Make sure to enable Agent Discovery checkbox.
- Select the group under Add Found Targets To Target Group.
- Save the schedule.
- Right click on it and click Scan now.
- You can now monitor the progress of discovery in the Scan status tab inside Scan scheduling window.
- The scan should finish within few seconds or at most a couple of minutes provided a free slot is available and the scan starts.
- You should now be able to see the agent in your group.
How do I know if there is an update for agent?
Agent update comes with normal update, so if you see any note for an update on your OUTSCAN account, then you know there is an update.
You can also check the Agent Installer tab in OUTSCAN for the latest version. See Where do I download Agents? section on how to navigate to the Agents Installer tab.
How do I install agents?
There are multiple ways of doing it depending on the platform you are at. Follow this guide for the platform that you are about to install the agent on: Installing Outpost24 Agents
How do I retrieve the agent UUID?
The UUID is available in a JSON format from running the agent with the sub command info.
# o24-agent info | jq .
{
"agentUuid": "1dcea474-04ad-4112-99cf-aa9882e59986",
"enrollmentStatus": true
}Note
In Windows the agent binary is located in \Program Files (x86)\Outpost24\Agent and you may need to use the full path to the agent.
"agentUuid" - will be populated if the agent is enrolled ("enrollmentStatus") and represents the UUID that should be filtered for in the Manage Targets view in the UI. If this key is not present, the agent is either not enrolled or an error with the certificate occurred (see logging information below).
"enrollmentStatus" - should always be populated with a boolean value indicating whether the agent is enrolled.
Note
By default no errors are logged on standard error (or similar on Windows), so if an error occurred (as indicated by the exit code being anything but 0) you can tell the agent to show the logs, or look in your centralized logging system (journal or event viewer).
$ o24-agent info --stderr-log --log-level DEBUG --log-sd=0 ; echo $?
2021-08-17T15:12:35.5174308+02:00 ERROR failed to read config
1Note
For clarity, the --log-sd has been disabled to remove large amounts of data. However, --log-sd data will always be requested whenever data is sent in support cases.
Note
Logs produced by this command will not be sent to the Agent server, but are instead stored in the centralized logging system in your environment.
How do I update the agent?
Prior updating your agent, you need to download latest version from the OUTSCAN platform.
See Where do I download Agents? section on how to download the latest Agent.
Windows
To update the agent.
- Log in at the workstation on which you want to install the software.
- Download the new agent as described in the Installing the Agent section.
- Follow the instructions for installing a Windows agent in Installing the Agent section.
Linux
Note
Do not forget to login on the target system with a user that can gain administrative access on the system such as root on Linux.
Refer to Installing Outpost24 Agents for how to install. Updating and installing is roughly the same procedure.
Fedora
Log in at the workstation on which you want to upgrade the software.
To update the package using RPM package manager, enter the following command at the prompt:
sudo rpm -Uvh linux-amd64.rpmBASH
Debian
Log in at the workstation on which you want to install the software.
To update the package using Package Manager for Debian, enter the following command at the prompt:
sudo dpkg -i linux-amd64.debBASH
How do I remove an agent from Windows?
To the removed the agent from a Windows workstation use Add/Remove programs.
This can also be done from the command line by running the following command as a administrator.
wmic product where "description='Outpost24 Agent' " uninstallHow do I know agent is running?
Windows
- Open Services app and search for Outpost24 Agent. Its status is shown under the Status column.
Linux
Login to your Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:
sudo systemctl status o24-agent
How do I know the agent has been discovered in OUTSCAN?
The Agent is displayed in the list of targets after successful discovery scan:
How do I know the agent has retrieved the schedules from OUTSCAN?
Windows
Open a file Explorer or Windows PowerShell as administrator and enter the following command:
ls C:\ProgramData\Outpost24\Agent\schedules\instructionsLinux
Login to you Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:
sudo ls -la /var/cache/o24-agent/schedules/instructions/Examples
In both case, This directory contains the schedules for the Agent. Each schedule is a directory of type (UUID) that contains 3 encrypted files: commands (for Linux), psh-commands and registry (for Windows).
Windows example:
Linux example:
Note
You can also check the date and time of each files to ensure, they are updated and changing.
If you have several UUID sub directories, that simply means you have configured several schedules.
How do I know the agent has produced results that can be uploaded to OUTSCAN?
Windows
Open a file Explorer or Windows PowerShell as administrator and enter the following command:
ls C:\ProgramData\Outpost24\Agent\schedules\results\Linux
Login to you Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:
sudo ls -la /var/cache/o24-agent/schedules/resultsExample
In both case, this directory contains the results for the Agent. Each schedule is a directory of type (UUID) that contains 1 to 2 encrypted files: commands.enc (for Linux), psh-commands.enc and registry.enc (for Windows).
Windows example:
Linux example:
Note
You can also check the date and time of each files to ensure, they are updated and changing.
If you have several UUID sub directories, that simply means you have configured several schedules, so that you are getting several results matching the schedules.
How do I get results from the agent in OUTSCAN?
First ensure that the agent is running and has been discovered on the OUTSCAN platform.
Then wait 2 hours before any results are populated in OUTSCAN platform.
If the Agent is running for more than 2 hours and no findings are displayed on the OUTSCAN platform, then:
- Check you have schedules by referring to How do I know the Agent has retrieved the schedules from OUTSCAN?
- Then check that you have some results on the Agent by referring to How do I know the Agent has produced results that can be uploaded to OUTSCAN?
If everything is fine on the Agent side, please contact the Support for further assistance.
How do I check connectivity to Outpost24 agent server?
Ensure you can reach Outpost24 Agent server by checking you can reach the following URL from the target where the Agent is installed.
Windows
Run the following command in DOS Command Prompt:
telnet teddysalad01.outpost24.com 443Linux
Run the following command:
telnet teddysalad01.outpost24.com 443Linux example:
Related Articles
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Copyright
© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.