The dissolvable agent

The-dissolvable-agent

When scanning target machines for vulnerabilities or running policy compliance checks, the best approach is to connect remotely to the machine and query its interfaces. The connection is direct, fast, and non-intrusive. But sometimes, a remote connection can’t get all the information needed to perform a complete analysis. In this case, a dissolvable agent strikes the balance of getting the data needed with minimal intrusiveness and management overhead.

A good example is a policy compliance check on Windows to enforce strong passwords. Some password checks are easy to verify, such as the check requiring passwords to contain eight or more characters or a mix of alphabetic and non-alphabetic characters. For these checks, the operating system supports a native policy via the Windows registry. All the scan needs to do is remotely query the appropriate the Windows registry value to verify that the policy is in place. Because the query is remote, no agent is needed.

More difficult are checks that are not supported by the operating system, and which therefore can’t be verified by checking a registry value: for example, a check requiring that the password doesn’t match the company name.

In this case, the scan needs to compare the actual password to the company name. To access the passwords, the scanning engine uses the dissolvable agent to read, encrypt, and send the password to the scanner. The scanner does the comparison, reports whether the password is in compliance, and securely erases its copy of passwords after it completes the tests. Without the dissolvable agent, this type of check isn’t possible.

So what is a dissolvable agent and how does it work?

An agent is software that runs on the target host where it collects data locally to send back to the scanning engine. The agent is dissolvable because it is created as needed and removes itself when it’s done collecting data.

Information collected by the dissolvable agent is securely transmitted to the scanner using certificates and 256-bit encryption. The information is integrity-protected and stored in memory on the scanner only while the information is processed. The information is discarded as soon as it is no longer needed.

A Matter of Trust and Access

Permanent agents, i.e. agents that remain on the target hosts once installed can be challenging to use, and we advise not to, because of the maintenance, change control, and patching costs they incur. However, to collect certain data that is not accessible remotely, an agent is needed. This is where the dissolvable agent comes into play.

For Unix targets, remote access to the Unix shell gives the same functionality as local access. Given sufficient privileges, a remote scanner can access all the information it needs via remote access to the shell, so no agent software is needed.

For Windows targets, where there is no access to the local shell, there are two ways to access system information without agents:

  • SMB (Server Message Block) Protocol / CIFS (Common Internet File System) File access protocol can access file information such as version numbers
  • RPC (Remote Procedure Call) can access registry values, security settings, and SAM (Security Accounts Manager). RPC can also access DCOM (distributed component object model) objects to determine, for example, what processes are running.

On Windows XP, all of the needed RPC calls are available via external interfaces; however, on Windows Vista, there are a few RPC calls that are available only via internal interfaces, so the dissolvable agent is required. Another example is the detection security settings for audit subcategories, as required by some compliance benchmarks including SAP.

The Dissolvable Agent Works Fast and Then Disappears

The dissolvable agent works quickly – lasting from less than a second to a few seconds depending on the work it needs to do.

There are two ways to install dissolvable agents on a remote Windows system:

  • via DCOM (distributed component object model): but this has the disadvantage that the system admin can disable it.
  • instantiate as a service via the service API.

Compared to a permanent agent, the dissolvable agent is less intrusive and less expensive because it requires no setup or management, and there is nothing to update.

The dissolvable agent enables safe, secure, remote access to additional information that would otherwise be inaccessible without installing permanent agents on your machine– making your business more secure and ensuring that you meet your policy compliance requirements.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

As director of product management at Qualys, Matt Alderman designs, plans and implements compliance solutions that strengthen organisations. With 20 years of experience in IT, including 12 years in network security and compliance, Matt has held key roles addressing risk and compliance needs, including serving as Founder and Chief Technology Officer for ControlPath, VP of compliance management solutions for Trustwave, and director of compliance services at Accuvant.