Purpose

The purpose of this document is to provide answers to frequently asked question around deploying the Outpost24 Agent.

Introduction

The standard Agent reports its information back to OUTSCAN, regardless where in the world that endpoint is located. If it has an Internet connection, it will report back its vulnerability information.

How does the agents work?

The Agent installs on to the system and calls home to the API regularly. When doing so they may receive information about a schedule, which they remember and plan their scanning according to. As the time of a scheduled scan arrives, they run the scan and once done submitting the results to the API. Failing to submit to the API will leave the results around for the next call home.


Note

Compliance Scanning is not possible on agents.


Scanning Window

The scanning window is set to 24 hours for agents since OUTSCAN prioritize scheduled scans before agent scans. Also the agent discovery window is set to 24 hours.

What rights are needed?

The Agent installs as a fully privileged service and are able to access the full registry (when running on Windows).

Agent resource consumption

Note

It can not be said exactly how much resources agents will consume until it runs on the target. Usage majorly depends on how much there is to scan on the target and the number of targets.

CPU

When completely idle, the agent consumes a very small amount of clock cycles since it is only waiting to be woken up by a timer when it should attempt a call-home or do a scan.

When not waiting, it can do one out of two things:

  • Run a scan
  • Perform a Call-home

Calling home may consume a decent amount of CPU related to encrypting and sending traffic to the agent server.

Running a scan is very likely to consume 100% of a single core for a while. The duration depends on how much the scan is going to find. Our tools does some enumeration tasks and the more data is present, the more data will need to be processed, thus increasing the duration and the amount of necessary clock cycles. Currently this process is limited to a single core because of the utilities we are using.

The entire agent is configured to have low CPU priority, and unless other programs are configured to use low priority as well, the agent will not compete for clock cycles with other programs.

RAM & Disk

This depends heavily on the amount of data the agent is going to find when running a scan. Each unit of processing being done (varies on the task, some stream, some do not) must be stored in memory. Generally this is relatively little, for example each registry key being extracted and analyzed is flushed to disk before the next is fetched, thus reducing RAM usage, but sometime we need to read larger amount of data into memory. The agent should not spike significantly in memory usage.

Similarly, the data being extracted during scanning is stored on disk until the next call-home. The amount of data stored follows the same rules as RAM usage. However, only the latest scan data is being stored and does not accumulate more data over time even if a call-home is missed.  Log data do however accumulate over time if not able to call home.

Network

Network usage is dependent on the amount of data needed to be sent during a call-home (general size of scan result) and how often it will have data to send (depend on the configured schedules). Do keep in mind that if an agent is part of multiple schedules, it will scan once for each schedule and then upload the scan result independently for these schedules as well.

License consumption information

To see the number of licenses being consumed:

  1. Navigate to Main Menu > Settings > Account.



  2. Click on the License tab.



    In the Agent Information area, the number of Registered, Scanned and Outdated agents are displayed.

    OptionDescription
    Agent registeredShows the number of registration agents.
    Agent scannedShows the number of scanned agents.
    Agent outdatedShows how many assets are running an outdated Agent version, indicating the number of Agents need updating.


Note

An agent is considered as any other scan and therefor licensed as such. An agent that performs a scan will require one (1) license from your license pool. When an asset is also being scanned from an external scanner it also will require a license. If an agent AND a external scanner both scans the same asset, it will require two (2) licenses as it is seen as two (2) different assets.

How to set up the firewall for agents

The agents need access to the Agent Server for:

  • Enrolling the Agent
  • Retrieving the schedule and instructions
  • Uploading the scan results such as inventory of software and configuration
  • Uploading logs

Configure the firewall accordingly.

Service

Destination

Port

Protocol

Direction

Description

Agent communication

teddysalad.outpost24.com (Agent Server)

443

HTTPS

Outbound

Enrollment, Scheduling, Scan results, Logs

On what priority is the agent running?

The agent consume negligible resources when not scanning since it is waiting on two timers; the call home timer and the scan schedule timer. When scanning, it use what it needs from the system. Scanning consists of evaluation of commands (psh/sh), slight file I/O, and registry access on Windows.
Since the agent is running as idle priority on Windows and on other systems it is running with niceness 16 by default, it will only use resources when the OS says there is nothing better to do with them.
See https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setpriorityclass:

IDLE_PRIORITY_CLASS
0x00000040
Process whose threads run only when the system is idle. The threads of the process are preempted by the threads of any process running in a higher priority class. An example is a screen saver. The idle-priority class is inherited by child processes.


Where do I download agents?

  1. Log in to OUTSCAN.
  2. Click on Main Menu > Support.
  3. Navigate to the Agents Installers tab.




How do I find the agent version?

Windows

  1. Open Control Panel.
  2. Click on Programs.
  3. Click Program and Features and search for agent.


Note

You can also open a PowerShell command as administrator and run the following command:

'C:\Program Files (x86)\Outpost24\Agent\agent.exe' --version
POWERSHELL


Linux

Login to your Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:

sudo o24-agent --version
BASH


How do I find new agents?

  1. Log in to OUTSCAN from which you downloaded the agent.
  2. Create a target group where you want your agents to end up.
  3. Create new Discovery scan schedule.
  4. Make sure to enable Agent Discovery checkbox.
  5. Select the group under Add Found Targets To Target Group.



  6. Save the schedule.
  7. Right click on it and click Scan now.
  8. You can now monitor the progress of discovery in the Scan status tab inside Scan scheduling window.



  9. The scan should finish within few seconds or at most a couple of minutes provided a free slot is available and the scan starts.
  10. You should now be able to see the agent in your group.


How do I know if there is an update for agent?

Agent update comes with normal update, so if you see any note for an update on your OUTSCAN account, then you know there is an update. 

You can also check the Agent Installer tab in OUTSCAN for the latest version. See Where do I download Agents? section on how to navigate to the Agents Installer tab.

How do I install agents?

There are multiple ways of doing it depending on the platform you are at. Follow this guide for the platform that you are about to install the agent on: Installing Outpost24 Agents

How do I retrieve the agent UUID?

The UUID is available in a JSON format from running the agent with the sub command info.

# o24-agent info | jq .
{
  "agentUuid": "1dcea474-04ad-4112-99cf-aa9882e59986",
  "enrollmentStatus": true
}
BASH

Note

In Windows the agent binary is located in \Program Files (x86)\Outpost24\Agent and you may need to use the full path to the agent.

"agentUuid" - will be populated if the agent is enrolled ("enrollmentStatus") and represents the UUID that should be filtered for in the Manage Targets view in the UI. If this key is not present, the agent is either not enrolled or an error with the certificate occurred (see logging information below).

"enrollmentStatus" - should always be populated with a boolean value indicating whether the agent is enrolled.


Note

By default no errors are logged on standard error (or similar on Windows), so if an error occurred (as indicated by the exit code being anything but 0) you can tell the agent to show the logs, or look in your centralized logging system (journal or event viewer).


$ o24-agent info --stderr-log --log-level DEBUG --log-sd=0 ; echo $?
2021-08-17T15:12:35.5174308+02:00 ERROR failed to read config
1
BASH

Note

For clarity, the --log-sd has been disabled to remove large amounts of data. However, --log-sd data will always be requested whenever data is sent in support cases.

Note

Logs produced by this command will not be sent to the Agent server, but are instead stored in the centralized logging system in your environment.


How do I update the agent?

Prior updating your agent, you need to download latest version from the OUTSCAN platform.

See Where do I download Agents? section on how to download the latest Agent.

Windows

To update the agent.

  1. Log in at the workstation on which you want to install the software.
  2. Download he new agent as described in the Installing the Agent section.
  3. Follow the instructions for installing a Windows agent in Installing the Agent section.

Linux

Note

Do not forget to login on the target system with a user that can gain administrative access on the system such as root on Linux.


Refer to Installing Outpost24 Agents for how to install. Updating and installing is roughly the same procedure.

Fedora

  1. Log in at the workstation on which you want to upgrade the software.

  2. To update the package using RPM package manager, enter the following command at the prompt:

    sudo rpm -Uvh linux-amd64.rpm
    BASH

Debian

  1. Log in at the workstation on which you want to install the software.

  2. To update the package using Package Manager for Debian, enter the following command at the prompt:

    sudo dpkg -i linux-amd64.deb
    BASH

How do I remove an agent from Windows?

To the removed the agent from a Windows workstation use Add/Remove programs.

This can also be done from the command line by running the following command as a administrator.

wmic product where "description='Outpost24 Agent' " uninstall
POWERSHELL

How do I know agent is running?

Windows

  1. Open Services app and search for Outpost24 Agent. Its status is shown under the Status column.


Linux

Login to your Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:

sudo systemctl status o24-agent
BASH


How do I know the agent has been discovered in OUTSCAN?

The Agent is displayed in the list of targets after successful discovery scan:


How do I know the agent has retrieved the schedules from OUTSCAN?

Windows

Open a file Explorer or Windows PowerShell as administrator and enter the following command:

ls C:\ProgramData\Outpost24\Agent\schedules\instructions
POWERSHELL

Linux

Login to you Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:

sudo ls -la /var/cache/o24-agent/schedules/instructions/
BASH

Examples

In both case, This directory contains the schedules for the Agent. Each schedule is a directory of type (UUID) that contains 3 encrypted files: commands (for Linux), psh-commands and registry (for Windows).

Windows example:

Linux example:



Note

You can also check the date and time of each files to ensure, they are updated and changing.

If you have several UUID sub directories, that simply means you have configured several schedules.

How do I know the agent has produced results that can be uploaded to OUTSCAN?

Windows

Open a file Explorer or Windows PowerShell as administrator and enter the following command:

ls C:\ProgramData\Outpost24\Agent\schedules\results\
POWERSHELL

Linux

Login to you Linux system with an account having admin privileges or being able to elevate privileges and become root and run the following command:

sudo ls -la /var/cache/o24-agent/schedules/results
BASH

Example

In both case, this directory contains the results for the Agent. Each schedule is a directory of type (UUID) that contains 1 to 2 encrypted files: commands.enc (for Linux), psh-commands.enc and registry.enc (for Windows).

Windows example:

Linux example:


Note

You can also check the date and time of each files to ensure, they are updated and changing.

If you have several UUID sub directories, that simply means you have configured several schedules, so that you are getting several results matching the schedules.

How do I get results from the agent in OUTSCAN?

First ensure that the agent is running and has been discovered on the OUTSCAN platform.

Then wait 2 hours before any results are populated in OUTSCAN platform.

If the Agent is running for more than 2 hours and no findings are displayed on the OUTSCAN platform, then:

  1. Check you have schedules by referring to How do I know the Agent has retrieved the schedules from OUTSCAN?
  2. Then check that you have some results on the Agent by referring to How do I know the Agent has produced results that can be uploaded to OUTSCAN?

If everything is fine on the Agent side, please contact the Support for further assistance.

How do I check connectivity to Outpost24 agent server?

Ensure you can reach Outpost24 Agent server by checking you can reach the following URL from the target where the Agent is installed.

Windows

Run the following command in DOS Command Prompt:

telnet teddysalad01.outpost24.com 443
BASH

Linux

Run the following command:

telnet teddysalad01.outpost24.com 443
BASH

Linux example:




Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.