Agent-based Scanning (Beta)

This document is intended for early-access customers, and it is updated as agent-based scanning features are enhanced. Agents in customer accounts included in the Beta automatically install the new scan components by using Agent or remote collector outbound rules (US) or Agent or remote collector outbound rules (UK).

Alert Logic is upgrading vulnerability scanning features to support scanning on the host by adding OSQuery and OVALdi scan components to the existing Alert Logic agent.

Upgrades to the scanning experience

The agent-based scan upgrade improves the efficiency, accuracy, and usability of Alert Logic vulnerability scanning features with the following advantages over network scanning:

No Credential Management: Agent-based scanning does not require credential management. Users of authenticated network scans had to configure access and manage credentials for assets and networks. The agent is installed on the host with all the permissions it needs and does not require any further authentication.

Reduced Network Traffic: Agent-based scanning reduces network traffic. Agent-based scanning reduces network traffic by running locally on the host before sending results to the network appliance for final analysis.

Limited Network and Host Processing Impact: Authenticated and unauthenticated network scans can adversely impact some networks and hosts. Agent-based scanning reduces network impacts by running locally on the host and limits host processing impact to less than 5 minutes. For detailed information on host impacts, see Requirements for the Alert Logic agent with scan components.

Increased Host-Target Availability: You can deploy the agent on hosts that are impossible or impractical to scan from the network.

Better Vulnerability Accuracy: Agent-based scanning increases the accuracy and reliability of vulnerability scan results. Improved coverage includes better operating system, application, patch, and kernel level vulnerability assessment. For more information, see Scan-based vulnerability assessment coverage details.

Requirements

A host must meet the following criteria to support agent-based scanning.

Node subscription level

The host node must be configured for the Alert Logic MDR Professional or Alert Logic MDR Enterprise level of protection. You can verify or change the protection levels by using Entitlement Summary or Change Protection Level of an Asset.

Host operating system

The host must run a supported Windows or Linux operating system.

The container agent can install the scan components but does not run the scan function. Hosts with only the Extended Endpoint Protection agent do not install the agent-based scan components.

The agent-based scanning components are fully validated on the following operating systems. Older Linux and Windows operating systems may work, but will report a large amount of vulnerabilities.

Operating System Installation Guide
Amazon Linux 2 Install the Alert Logic Agent for Linux
CentOS 6, 7, 8 Install the Alert Logic Agent for Linux
Debian 9, 10 Install the Alert Logic Agent for Linux
Red Hat Enterprise Linux (RHEL) 7 Install the Alert Logic Agent for Linux
Windows 7 Install the Alert Logic Agent for Windows
Windows 10 (All) Install the Alert Logic Agent for Windows
Windows Server 2008 (All) Install the Alert Logic Agent for Windows
Windows Server 2012 (All) Install the Alert Logic Agent for Windows
Windows Server 2016 (All) Install the Alert Logic Agent for Windows
Windows Server 20H2 Install the Alert Logic Agent for Windows

Installed agent and agent health

The agent must be installed on the host. The health status of the agent related to connectivity or resource issues may affect the installation of agent-based scanning . You can verify the health and presence of an agent on a specific host by using the Health and the Missing Agent Digest report.

A feature to view agent status from the Topology page will be available in the future.

Requirements for the Alert Logic agent with scan components

Scan components of the agent require the following in addition to the standard Requirements for the Alert Logic Agent.

Requirement Type Additional System Requirement for Scan Components Total System Requirement
Storage 102MB 652MB

Processing requirements and host impact for running an agent-based scan

During the first Beta group, the agent-based scan runs at a different time than the network scan, though the results are not enumerated and delivered to you until a network scan is complete. The host impact for processing requirements only occurs for the duration defined below, at run-time. For more information about the timing and frequency of running agent-based scanning, see Beta group 1: agent-based scan by frequency.
Type Operating Systems Scan Components System Requirement Duration of Demand (Estimate)
RAM (Max) Windows OSQuery 50MB 5 seconds
    OVALdi 70MB 3 minutes
  Linux OSQuery 30-50MB 5 seconds
    OVALdi 90MB 4 minutes
CPU Windows Both Up to 100%, running at low priority 3-4 minutes
  Linux Both Up to 100%, running at low priority 4-5 minutes

Scan using Alert Logic agents

Any successful network scan of a host that meets the Requirements automatically recognizes and collects the results of the latest agent-based scan.

Beta group 1: agent-based scan by frequency

In the first Beta group, the agent initially scans the host in 0-24 hours after installation is complete. Subsequent scans run every 12-36 hours after the completion of the previous scan. The Agent-based Scanning (Beta) of the agent-based host scan are not visible in the Alert Logic console until a network scan completes. For technical details on agent-based and network-based vulnerability coverage, see Scan-based vulnerability assessment coverage details.

You can collect the latest results from agent-based scans on target host(s) using two methods:

Scan Schedule Scope: Complete an internal network scan with the host(s) that you want the agent to scan in scope of the scan schedule. For more information on asset scopes in scan schedules, see Define the scope of the assets to scan.

Scan Now: You can use the Scan Now feature from the Topology page of the Alert Logic console to collect the latest agent-based scan results from an individual host as soon as possible. For more information on the Scan Now feature, see Scan Now.

View the results of an agent-based scan

Expect a significant increase in number of detected vulnerabilities with a new agent-based scan, especially if you did not previously use authenticated scans on the host. Vulnerabilities detected by the agent have the "Agent" category on the Exposures page.

Agent-based scan results are also available in Vulnerabilities Reports and Remediations Reports.

Scan-based vulnerability assessment coverage details

Vulnerability Type Host-based Scan (Agent) Network Scan (no credentials) Authenticated Network Scan (credentials)
System-level vulnerabilities (kernel - Windows OS) Yes Partial Yes
Application-level exposures (RHEL) Yes   Yes
Application-level exposures (Debian) Yes   Yes
Application-level exposures (Windows Programs) Yes   Yes
Configuration Check (TLS/Certificates, Common U/P)   Yes Yes
Web Application Testing   Partial Partial
Active Exploits/ SQL Injections/ Etc   Partial Partial

Deference to agent-based scanning

Agent-based scans and authenticated network scans provide equivalent vulnerability assessment for OS, application, patch, and kernel level vulnerabilities.

Therefore, to reduce impact to the network and host, when an authenticated network scan begins scanning a particular host, it checks in with that host for the presence of agent-based scan results.

If agent-based scan results are present on the host:

The authenticated scan will not run against the host. The unauthenticated network scan will still run against the host.

If no agent-based scan results are present on the host:

The authenticated network scan runs as configured against the host.