Agent-based Scanning (Beta)

This document is intended for early-access customers, and it is updated as agent-based scanning features are enhanced. Agents in customer accounts included in the Beta automatically install the new scan components by using Agent or remote collector outbound rules (US) or Agent or remote collector outbound rules (UK).

Alert Logic is upgrading vulnerability scanning features to support scanning on the host by adding OSQuery and OVALdi scan components to the existing Alert Logic agent.

Upgrades to the scanning experience

The agent-based scan upgrade improves the efficiency, accuracy, and usability of Alert Logic vulnerability scanning features with the following advantages over network scanning:

No Credential Management: Agent-based scanning does not require credential management. Users of authenticated network scans had to configure access and manage credentials for assets and networks. The agent is installed on the host with all the permissions it needs and does not require any further authentication.

Reduced Network Traffic: Agent-based scanning reduces network traffic. Agent-based scanning reduces network traffic by running locally on the host before sending results to Alert Logic for final analysis.

Limited Network and Host Processing Impact: The network scan will not run redundant vulnerability assessments when agent-based scan is active on a host. Agent-based scanning reduces network impacts by running locally on the host and limits host processing impact to less than 5 minutes. For detailed information on host impacts, see Requirements for the Alert Logic agent with scan components.

Better Vulnerability Accuracy: Agent-based scanning increases the accuracy and reliability of vulnerability scan results. Improved coverage includes better operating system, application, patch, and kernel level vulnerability assessment. For more information, see Scan-based vulnerability assessment coverage details.

Requirements

A host must meet the following criteria to support agent-based scanning.

Node subscription level

The host node must be configured for the Alert Logic MDR Professional or Alert Logic MDR Enterprise level of protection. You can verify or change the protection levels by using Entitlement Summary or Change Protection Level of an Asset.

Host operating system

The host must run a supported Windows or Linux operating system.

The container agent can install the scan components but does not run the scan function. Hosts with only the Extended Endpoint Protection agent do not install the agent-based scan components.

The agent-based scanning components are fully validated on the following operating systems. Older Linux and Windows operating systems may work, but will report a large amount of vulnerabilities.

Operating System Installation Guide
Amazon Linux 2 Install the Alert Logic Agent for Linux
CentOS 6, 7, 8 Install the Alert Logic Agent for Linux
Debian 9, 10 Install the Alert Logic Agent for Linux
Red Hat Enterprise Linux (RHEL) 7 Install the Alert Logic Agent for Linux
Windows 7 Install the Alert Logic Agent for Windows
Windows 10 (All) Install the Alert Logic Agent for Windows
Windows Server 2008 (All) Install the Alert Logic Agent for Windows
Windows Server 2012 (All) Install the Alert Logic Agent for Windows
Windows Server 2016 (All) Install the Alert Logic Agent for Windows
Windows Server 20H2 Install the Alert Logic Agent for Windows

Installed agent and agent health

The agent must be installed on the host. The health status of the agent related to connectivity or resource issues may affect the installation and execution of agent-based scanning . You can verify the health and presence of an agent on a specific host by using the Health and the Missing Agent Digest report.

A feature to view agent status from the Topology page will be available in the future.

Requirements for the Alert Logic agent with scan components

Scan components of the agent require the following in addition to the standard Requirements for the Alert Logic Agent.

Requirement Type Additional System Requirement for Scan Components Total System Requirement
Storage 102MB 652MB

Processing requirements and host impact for running an agent-based scan

The agent-based scan runs at a different time than the network scan, though the results are not enumerated and delivered until a network scan is complete with the host in scope. The host impact for processing requirements only occurs for the duration defined below, at run-time. For more information about the timing and frequency of running agent-based scanning, see Agent-based scan run-time and result visibility.

Type Operating Systems Scan Components System Requirement Duration of Demand (Estimate)
RAM (Max) Windows OSQuery 50MB 5 seconds
OVALdi 70MB 3 minutes
Linux OSQuery 30-50MB 5 seconds
OVALdi 90MB 4 minutes
CPU Windows Both Up to 100%, running at low priority 3-4 minutes
Linux Both Up to 100%, running at low priority 4-5 minutes

Scan using Alert Logic agents

A successful network scan of a host that meets the Requirements for agent-based scanning automatically recognizes and collects the results of the latest agent-based scan.

Agent-based scan run-time and result visibility

The initial agent-based scan will run within 12 hours after the install of the scan components on the host. Subsequent agent-based scan run-times are governed by the scan windows defined in Internal Scan schedules.

If the scan window is set to scan any time (default):

The agent-based scan runs at every 12 hour interval from the initial execution. The results of the agent-based host scan visible in the Alert Logic console once an internal network scan completes.

If the scan window is defined to specific start and end times:

The agent-based scan runs at the start of the window. The results of the agent-based host scan are visible in the Alert Logic console once the internal network scan completes for the window. For more information on asset scopes in scan schedules, see Define the scope of the assets to scan.

Scan Now: You can use the Scan Now feature from the Topology page of the Alert Logic console to collect the latest agent-based scan results from an individual host as soon as possible. For more information on the Scan Now feature, see Scan Now.

The Scan Now feature does run a new agent-based scan. The feature runs an internal network scan on the host, which gathers the latest agent-based scan results from the host.

View the results of an agent-based scan

You should expect a significant increase in number of detected vulnerabilities with a new agent-based scan if you did not previously use authenticated scans on the host. Vulnerabilities detected by the agent have the "Agent" category on the Exposures page.

Agent-based scan results are also available in Vulnerabilities Reports and Remediations Reports.

Scan-based vulnerability assessment coverage details

Vulnerability Type Host-based Scan (Agent) Network Scan (no credentials) Authenticated Network Scan (credentials)
System-level vulnerabilities (kernel - Windows OS) Yes Partial Yes
Application-level exposures (RHEL) Yes   Yes
Application-level exposures (Debian) Yes   Yes
Application-level exposures (Windows Programs) Yes   Yes
Configuration Check (TLS/Certificates, Common U/P)   Yes Yes
Web Application Testing   Partial Partial
Active Exploits/ SQL Injections/ Etc   Partial Partial

Network scanning and agent-based scanning

Agent-based scans and authenticated network scans provide similar vulnerability assessment coverage for OS, application, patch, and kernel level vulnerabilities. To reduce impact to the network and host, when an authenticated network scan begins scanning a particular host, it checks in with that host for the presence of agent-based scan configuration.

If agent-based scan is configured on the host:

The network scan will not run redundant vulnerability assessments for the host. The agent will evaluate OS, application, patch and kernel vulnerabilities. The unauthenticated network scan will evaluate vulnerabilities for configuration checks, web applications testing, and active exploit, SQL injects, etc.

If agent-based scan is not configured on the host:

The network scan runs vulnerability assessments as configured (authenticated or unauthenticated) against the host.