You are here: Funzioni del Tecnico > Gli agent > Cose da sapere sugli agent

What you should know about agents

Introduction

The agent can be exposed and identified if installed in environments with antivirus or in environments managed by expert technicians.

Three different agent levels were included to prevent this from happening:

Thescout agent is a replacement for the agent sent at the beginning of the installation phase to analyze the level of target device security.

The soldier agent and elite agent are actual agents. The soldier agent is installed in environments that are not fully secure and thus only allow some types of evidence to be collected. The elite agent is installed in secure environments and can collect all types of available evidence.

Agent installation process
Phase Description
1

The technician installs the scout agent on the target device.

2

The scout agent collects evidence from the device to check the level of security.

3

The Technician updates the agent:

If the environment is... Then...
secure

the system installs the elite agent.

not fully secure

the system installs the soldier agent.

unsecure the agent cannot be updated.
Agent icon

The agent icon provides the following information:

Following are the three agent level icons, for example, for a Windows desktop device:

Scout agent

Once installed, the scout agent appears in the target page after the first synchronization.

The scout agent acquires evidence:

IMPORTANT: Screenshot type evidence is only collected if the module is enabled in the configuration. If necessary, remember to enable it before sending the agent.

Soldier agent

The soldier agent lets you collect evidence defined by the base configuration modules except for Call and Accessed file modules.

IMPORTANT: the advanced settings are not enabled for soldier agents.

Tip: once the soldier agent is installed, check the settings defined in the initial phase to make sure they meet investigation needs and agent characteristics.

Elite agent

The elite agent lets you collect all types of evidence using both the base and advanced configuration

Agent synchronization

An agent will perform synchronization only if:

Offline and online agents

An agent behaves differently according to the Internet connection availability:

If the Internet connection is... Then...
not available

if the agent has modules enabled, it starts to record data in the device.

available

if first synchronization has been run on the agent, you can:

  • change settings, for example, as recording requests become more specific for that device. Resetting an agent does not change factory settings
  • update its software,
  • transfer files to and from the device,
  • analyze sent evidence

Tip: start creating an agent and only enable synchronization and the device module. Then, once installed, and upon receiving the first synchronization, gradually enable the other modules, according to the device capabilities and the type of evidence you want to collect.

Temporarily disabling an agent

Agent activities can be temporarily suspended without uninstalling the agent by simply disabling all the modules and leaving only synchronization active.

Agent testing

To test a configuration before production use, create an agent in Demo mode (see "Compiling a factory").

The agent is created in demo mode, behaving according to the given configuration, with the sole difference that it clearly signals its presence on the device (with audio, led and screen messages). Signaling permits easy identification of an infected device used for testing.

NOTE: in case evidence is not received from an agent in demo mode, this may be due to a server settings error or impossibility of reaching the address of the set Collector (i.e.: due to network settings problems).

Agent configuration

Agent configuration (basic or advanced) can be repeatedly edited. When saved, a copy of the configuration is created and saved in the configuration log.

At the next synchronization, the agent will receive the new configuration (Send time) and will communicate completed installation (Activated). From that point on, any changes can only be made by saving a new configuration.

NOTE: If Send time and Activated are blank, the current configuration can still be edited.

For a description of agent configuration log data see "Agent configuration log data".

RCS9.4 | User's Guide | © COPYRIGHT 2014