Probes/Agents

Modified on Thu, Oct 12, 2023 at 5:24 AM

Introduction

  • CyberCNS (ConnectSecure) provides three kinds of scans on each Asset. The objective and capability of each of the scans are different. (Please see the picture below)

    • Lightweight Agent Scan - gives an internal view of the asset (reported as vulnerabilities, patches, etc)

    • Probe Scan - gives an external view of the asset, placed between the Firewall and the asset (open ports reachable from within the network, TLS, SSL)

    • External Scan - gives an external view of the asset, placed outside the Firewall and reaching out to the asset (reported as Network Scan Findings, TLS, SSL, open ports reachable through the Firewall)

Each of these gives a different view of the asset and is available to view in the Asset View. 

  • Please note that Apache and PHP are visible through either a Probe scan and/or an External Scan. Since these findings from different scans reveal different things from different viewpoints, there isn't much to tally or reconcile.

Company Level

  • Once the agent installation is successful, Navigate to the Probe / Agents tab to view the installed agent along with the details of Hostname, Version, Agent Type, IP, OS Type, Installed On, Last Scanned Time, Last PII Scan Time, Last Ping Time, and whether the agent is Online (If the agent is online it shows in green) or Offline (if the agent is offline it shows in red).

  • Probe Agents, Lightweight agents and Deprecated Agents are separated in the Probe/Agent section. Probe Agent scan and Lightweight agent scan can be separately and manually triggered at the Company Level.

  • Full Scan, Asset Scan, Active Directory Scan, Offline Vulnerability Scan, Firewall Scan, Lightweight Agent Scan, and PII Scan are the scan types available on the top of the page, where the scan for the agent can be done using these options based on the requirement. When the scan is completed, it will successfully upload the results to the company from where this agent was downloaded under the Active Assets section.

Discovery Settings

  • In the depicted below image using the Action column addition of Discovery settings or Uninstall of the agent can be carried out.

  • Under Discovery settings, IP ranges credentials, SNMP credentials, Active Directory credentials, Master Credentials, Performance Management, and Brute Force Settings can be added.

IP Ranges

  • In the IP Ranges click on +Add to add the IP ranges and can add single/multiple entries.

  • Addition of IP Ranges, CIDR, Static IP, and Domain Name to discover the assets and provide your IP/subnets to scan using the agent and can also add multiple entries here OR exclude the Subnet/IP from scanning.

  • In IP ranges, if CIDR is chosen as Discovery Type then enter the Name and select the Netmask value as required.

  • Click on Save once the above credentials are provided.

  • In IP ranges, if IP Range is chosen as Discovery Type then enter the Name and the End IP address.

  • Click on Save once the above credentials are provided.

  • In IP ranges, if Static IP is chosen as Discovery Type then enter the Name and Start IP address.

  • Click on Save once the above credentials are provided.

The domain name functions as a link to the IP address. Links do not contain actual information, but they do point to the place where the IP address information resides. It is convenient to think of IP addresses as the actual code and the domain name as a nickname for that code.

  • In IP ranges, if the Domain Name is chosen as the Discovery Type then enter the name of your choice and the Domain name to be scanned, Exclude IP from scanning, and add the IP Ranges to be excluded from Scan.

  • Click on Save once the above credentials are provided.

  • Once the above details are Saved, the IP Ranges will be notified and an, IP added successfully message.

  • There is an option to Edit and Delete the IP Ranges using the Action column. Any IP Ranges can be edited and deleted if needed.

Copy To Probe

From one probe agent to another probe agent, the IP range will be copied within the same company. Duplicates will be discarded.

  • Select the company under which the probe agent’s discovery settings (Only IP Ranges) are to be copied to another probe agent.

  • Navigate to Probes/Agents, under the Action column, select a probe agent, and click on Discovery settings.

  • In the IP ranges section, under the action column, click on copy to probe option to copy all the IP details to another probe agent for the same company.

  • Here as shown in the depicted image, select the probe from the dropdown as needed.

  • Once the destination probe agent, click on copy option.

  • When the IP ranges are copied to the probe agent, will get a pop-up message as Copied successfully.

SNMP Credentials

  • The SNMP is used for the scanning of supported network devices using SNMP v1/v2 OR SNMP v3.

  • SNMP read-only credentials can be added under the SNMP Credentials section for network devices.

  • There are two options available for adding SNMP Credentials, they are SNMP v1/v2 and SNMP v3.

  • Click on +Add to add the SNMP v1/v2 Credentials and can add single/multiple entries.

  • In the depicted below image, you can choose either SNMP v1 or SNMP v2 as per the requirement.

  • Enter the Name and SNMP v1/v2 community string for network devices vulnerability scan and choose the type of version while adding SNMP credentials as per the requirement.

  • Once the details are provided click on Save.

  • Once the above details are Saved, the SNMP credentials save will be notified as, SNMP v1 added successfully, message.

  • There is an option to Edit and Delete the SNMP credentials using the Action column. Any SNMP credentials v1/v2 can be edited and deleted if needed.

  • If SNMP v3 is chosen click on +Add to add the SNMP v3 credentials and can add single/multiple entries.

The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm). The protocols used for Authentication are MD5 and SHA; and for Privacy, DES (Data Encryption Standard) and AES (Advanced Encryption Standard) protocols can be used.

  • In the depicted below the image select any one of the Auth Protocol and the Privacy Protocol.

  • Now, enter the details of Name, Security Name, Auth Password, and Privacy Password, and click on Save.

  • Once the above details are Saved, the SNMP credentials will be notified by, the SNMP v3 added successfully, message.

  • There is an option to Edit and Delete the SNMP credentials using the Action column. Any SNMP v3 credentials can be edited and deleted if needed.

Active Directory Credentials

  • Active Directory credentials are used to discover the assets and information from computers that are part of the AD network.

  • Click on +Add to add the Active Directory Credentials and can add single/multiple entries.

  • Active Directory credentials will have access to all the computers under AD. To only apply these credentials to limited IP ranges, please use Exclude IP section and add the IP Ranges to be excluded from the Active Directory Scan.

(blue star) How you can find out the name and IP address of the AD domain controller on your network in Linux?

  • You can use Nslookup is a command-line tool that displays information you can use to diagnose Domain Name System (DNS) infrastructure.

    1. Click Start, and then click Run.

    2. In the Open box, type cmd.

    3. Type nslookup, and then press ENTER.

    4. Typeset type=all, and then press ENTER.

    5. Type _ldap._tcp.dc._msdcs.Domain_Name, where Domain_Name is the name of your domain, and then press ENTER.

(blue star) How do I get to Active Directory on Mac?

  • Click on the Apple logo > System Preferences...> User & Groups.

    1. Click Login Options — click the lock icon to unlock it.

    2. Next to Network Account Server, click Join...

    3. Click Open Directory Utility...

(blue star) How do I get to Active Directory on Windows?

  • Now, enter the details of Name, Domain, Active Directory Domain Controller Name/ IP address, User Name, and Password.

  • Next, click on Save when the above details are provided.

  • Once the above details are Saved, the Active Directory credentials will be notified by the Active Directory Credentials added successfully, message.

  • There is an option to Edit and Delete the Active Directory credentials using the Action column. Any Active Directory credentials can be edited and deleted if needed.

Exclude IP

  • This Tab allows you to configure the IP Addresses that can be excluded from scanning which is a part of the Active Directory discovery settings.

  • Click on +Add to add the Exclude IP.

  • Addition of IP Ranges, CIDR, Static IP, and Domain Name to discover the assets and provide your IP/subnets to scan using the agent and can also add multiple entries here OR exclude the Subnet/IP from scanning.

Master Credentials

  • The Master credentials section will be used to do an authenticated asset scan and find vulnerabilities, without going by updating the credentials for each asset. Here a common set of credentials for OS like Windows, Mac, and Linux can be used.

  • Azure AD assets can be scanned by adding Master credentials and setting up network share access.

Prerequisites for Master Credentials:
(blue star) Windows machine
1. SMB should be enabled (port: 445)
(blue star) Linux based OS
1. ssh access should be enabled for the end machine (asset).
2. The user should have sudo privileges on the asset.
3.User should have access to the sudo command without a password.
(blue star) Darwin-based OS(MAC)
1. ssh should be enabled in the endpoint machine.
2.User should have sudo privileges.
3.User should have access to the sudo command without a password.
(blue star) VMware based OS
1. ssh should be enabled in the endpoint machine.
2. User should have access to the sudo command without a password.

  • To add Master Credentials click on +Add and can add single/multiple entries.

  • If you enter credentials for VMWare in the master credentials section, the agent will select and use any VMWare devices discovered as per the discovery settings, and if the corresponding port is open (port 22 for VMWare or Linux, port 445 for Windows) the scans will be successful.

  • Even if the VMWare/ESXI host is not authenticated, we are attempting to extract information about the version and build from packet headers obtained through various network protocols supported by VMWare including VCenter.

  • In Master Credentials, when the master credentials are provided, from the next scan, every vulnerability scan will try to scan with those credentials.

  • Select the Type of Asset as per the requirement.

  • Now, enter the details of your Name, Username, Password, and Domain.

  • When the above details are provided click on Save.

  • Once the above details are Saved, the Master credentials will be notified by the Asset Credentials added successfully, message.

  • There is an option to Edit and Delete the Master credentials using the Action column. Any Master credentials can be edited and deleted if needed.

To scan Azure AD Assets:

Azure AD users can not access a local network share directly. If they have a local Active Directory and it is connected to the Azure AD using Azure Connect, then users will sync with Azure AD and the local AD post which they can access ADMIN$.

For Granting permissions to Azure AD users for local network share:

You must install and configure an Azure AD Connect

After that, you must join your VM in Azure to the Domain Controller.

And finally set a user from your domain controller.

Performance Management

  • This tab allows you to allocate the required number of processes to be executed at a time when a scan is triggered to manage the performance of the scans and the systems.

  • This is based on the system configuration on which the CyberCNS agent is installed.
    (Ex - 4 Core Processor - 16 Processes)

Brute Force Settings

By implementing this setting, the security posture can be strengthened of the system for brute force attacks, potentially safeguarding user accounts and sensitive information.

  • Users can enable/disable “Brute Force Settings” from this section of discovery settings for the Probe Agent. Also, a specific port number can be provided.

  • It checks for default ssh credentials and populates the data under Network Scan Findings.

Uninstall Probe/Agents

CyberCNS allows uninstalling agents from this section only if the agents are showing online from the CyberCNS portal.

  • As depicted in the below image can choose to uninstall the Probe/Agents as required.

  • Once the uninstall option is chosen, a confirmation dialogue box with Yes or No options appears to confirm uninstall choice once again.

  • In case, yes is selected, the Probe/Agent is notified by the Uninstalling initiated.., message.

  • Upon successful uninstallation, the Probe/Agents will start appearing offline in the CyberCNS portal.

  • For an Uninstallation and deletion of the agent, follow below steps given below:

  1. The CyberCNSAgentV2 folder must not exist on the system. Please delete it if it exists.

  2. Windows services cybercnsagentv2 and cybercnsagentmonitor should not be running and should not exist. If they exist, please stop the services and then delete them using the following commands

--> Open the command prompt, and Run as administrator.

--> sc.exe delete cybercnsagentv2

--> sc.exe delete cybercnsagentmonitor

Delete Probe/Agents

CyberCNS allows deleting the agents, even though the agents are online or offline. Once deleted, all the data about that Probe/Agent will be deleted from the CyberCNS portal.

  • As depicted in the below image can choose to delete the Probe/Agents as required.

  • Multiple agents can be deleted or uninstalled using the Actions option.

  • Once the delete option is chosen, a confirmation dialog box with Yes or No options appears to confirm the delete choice once again.

  • Upon successful deletion, the Probe/Agents will disappear in the CyberCNS portal.

Fetch Event Logs

This will help to fetch event logs from the system on which the agent is installed.

  • Navigate to Probes/Agents to fetch the Event logs for the required agent.

  • The maximum number of days to be selected is 10 days.

  • The start date and End Date are to be set with a difference of min a day.

For example:- Start Date → 19/04/2023 & End Date → 20/04/2023

  • To fetch the event logs choose the Start date and the End date and click on the Fetch option.

  • Navigate to the Jobs> Agent Event Logs section, to view the job status. Once the job is completed successfully, using the action column download the event logs. The downloaded event logs will be in the Xlsx format.

Agent Update Info

Agent Update information log will help to fetch the information about the agent updation from the older version to the latest version.

  • Navigate to Probes/Agents, to get the Agent Update Info.

  • Once the agent is updated to the latest version, the agent log of the update to the latest version will be generated. It will display the agent update logs on the pop-up screen as shown below.

Migrate to Lightweight Agent

  • Navigate to Probes/Agents.

  • Select the appropriate probe agent to be migrated to the lightweight agent.

  • Select Migrate to Lightweight option under the Action column.

  • It will ask for confirmation with the warning. Click Yes to migrate from probe to lightweight.

Migration from Probe to Lightweight has the following changes:

  • All Assets discovered by the probe will be deleted, except for the probe itself.

  • Discovery Settings added to the probe will be deleted.

  • All credentials associated with the probe will be deleted.

  • Any job running on the probe machine will be terminated.

  • All pending jobs in the queue will be deleted.

  • Before migration from Probe Agent to lightweight agent, the asset shows PROBE_ASSET as a tag under Active Assets.

  • After migration from probe Agent to lightweight agent, the asset will show LIGHTWEIGHTAGENT as a tag under Active Assets.

Migrate to Probe

  • Navigate to Probes/Agents.

  • Select the appropriate lightweight agent to be migrated to the probe agent.

  • Select the Migrate to Probe option under the Action column.

  • It will ask for confirmation with the warning. Click Yes to migrate from lightweight to probe.

Migration from Lightweight to Probe has the following changes:

  • The agent type of assets will be updated.

  • The agent associated with the asset will be updated accordingly.

  • Before migration from lightweight Agent to probe agent, the asset shows LIGHTWEIGHTAGENT as a tag under Active Assets.

  • After migration from lightweight Agent to probe agent, the asset will show PROBE_ASSET as a tag under Active Assets.

Deprecated Agent

  • Agent deprecation helps you clean up agents from the lists that are not reachable from the CyberCNS agent. Users can set the deprecation age as per requirement using Settings

  • Only the offline agents will move to the Deprecated Agent based on the deprecation age.

  • In the image below please enter the agent deprecation days as per the requirement. Once set, for the agent offline days, the deprecation value will be considered only if the entered days are more than the Last Ping time and the deprecated agents will be moved to the Deprecated Agents section.

  • Once the details are Saved, the Asset Deprecation Days will be Updated successfully.

  • Here can get the details of the agent/s being deprecated under the Deprecated Agent section.

  • Deprecate Agent can be restored and Deleted using the Restore and Delete under Action.

Global Level

Over companies agents will be listed in the Global view > Probes/Agents tab.

  • To get all the agents of all the companies, Navigate to the Probe / Agents tab to view the installed agent along with the details of Hostname, Version, IP, OS Type, Installed On, Last Scanned Time, Last PII Scan Time, Last Ping Time, Company name, and whether the agent is Online (If the agent is online it shows in green) or Offline (if the agent is offline it shows in red).

  • The Probes/Agent tab lists all the agents installed across all the companies.

  • The Lightweight agent tab lists all the lightweight agents installed across all the companies.

Only the offline agents will move to the Deprecated Agent.

  • When the agent is offline deprecation value will be considered and the deprecated agents will be moved to the Deprecated Agents tab.

  • It lists all the agents deprecated across all the companies.

  • The Bulk delete option allows for the Uninstallation, Deletion, Update Performance Management, or Depreciation of multiple agents(Probe/Lightweight) in Global Actions.

  • Agents can be Uninstalled, Deleted, or Deprecated. Additionally, they can fetch Event logs and provide Agent Update Info.

  • This completes the Probe/Agents.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article