Agent Configurations
Table of Contents
- 1 Table of Contents
- 2 Agent Types
- 3 Lightweight Agent (Default Agent Type)
- 4 Probe Agent (Network Scan Agent)
- 5 Recommended Minimum Hardware Requirements
- 6 Agent Data Collection Process
- 7 How the Probe Collects Device Data
- 8 Port Requirements for Asset Discovery and Vulnerability Detection
- 9 Agent Proxy Support
- 10 Supported Operating Systems
- 11 Active Directory and Domain Controller Servers
- 12 Agent Command Line Options
- 13 Agent Whitelisting by POD/Region
- 14 How To Install Agent
- 15 How To Uninstall Agent
- 16 Need Support?
Agent Configuration is specific to your POD and is based on the hosting regions. To obtain your POD, please tap the INFO button on the Overview > Dashboard screen as shown below.
Agent Types
ConnectSecure has two agent types: Lightweight (LWA) and Probe.
Find these at the Overview > Agents screen under the two tabs with the count labeled:
By default, any ConnectSecure agent is installed as a Lightweight Agent.
Afterward, you can convert the Lightweight Agent to a Probe Agent by mapping the company-based Discovery settings. Mapping the discovery settings to an agent triggers it to convert to a probe.
Lightweight Agent (Default Agent Type)
The LWA is running an authenticated scan since it’s been installed with administrator privileges
The LWA installation uses a continuous scanning method on the locally installed asset.
The LWA does not scan outside the boundaries of the local asset to which it is installed.
IE: No network scanning; no asset discovery; this requires the Probe Agent.
The LWA scans automatically based on the parameters in the scan time interval settings.
Navigate to the Company/Global > Settings > Company Settings > Scan Time interval.
If an RMM tool is deployed on the network, you can push the LWA to multiple systems using our prebuilt PowerShell/Terminal scripts, which are provided with the company agent download by OS. https://cybercns.atlassian.net/wiki/x/xgDXfQ
The lightweight agent primarily performs local data collection and inventory during its scan process. It focuses on gathering details such as installed software, software versions, installation paths, running services, operating system information, user accounts, applied patches, and basic hardware details (e.g., hostname, MAC address).
On Windows systems, the agent leverages tools like osquery and PowerShell to perform these checks locally in a read-only manner. It does not make intrusive changes to the system.
The agent runs scheduled scans (by default at regular intervals) to continuously update the asset inventory. If installed on a domain controller, it can also gather Active Directory-related information such as users, groups, and organizational units via LDAP.
All collected data is securely sent to the ConnectSecure cloud platform. If the device is temporarily offline, the data is cached locally and synchronized once connectivity is restored.
Resource usage is optimized to remain lightweight, ensuring minimal impact on system performance during scans.
Probe Agent (Network Scan Agent)
The probe is running an authenticated scan against itself since it’s been installed with administrator privileges
The probe is generally best used in environment(s) with controlled IP-addressing.
The probe is compatible with Windows, MacOS, Linux, and ARM-based operating systems.
A complete list of supported operating systems is in the table near the end of this document.
Probe Agent uses the following methods to gather data from the scan(s).
Windows: It attempts to use the Admin SMB share to send a small executable called the dissolvable agent, which then runs on the remote machine to fetch the details.
Active Directory: If Active Directory Credentials are provided to the Probe Agent under Discovery Settings, SMB communication fetches information from remote assets.
Darwin/Linux: Requires the latest installation of NMAP; uses SSH credentials and Linux commands to determine what is running.
Network Devices: This uses SNMP to discover the sysObjectID, look up the device's version, and query the vulnerabilities for that version. It also connects to OEM APIs to get the vulnerability details.
You can discover multiple subnets using a single Probe Agent by setting up the address type(s) found in the company discovery settings. Below are some examples of the address types you can use.
CIDR > Example: 192.168.1.0/24
IP Range > Example: 192.168.1.0-192.168.1.100
Static IP > Example: 192.168.1.1
Domain > Example: xyz.com
The Probe Agent requires AD credentials to scan Active Directory environments; however, using a Lightweight Agent installed directly on the Domain Controller is the preferred method.
Probe Agent can access workgroup machines using standard or local credentials mapped from the Discovery settings to the Probe (nondomain).
Probe agent can be used to deploy security patches to remote machines; previously, this would require a lightweight agent, but that is no longer the case.
A probe is designed to perform network-based scanning of other assets within its mapped discovery ranges. It does not perform a network vulnerability scan against itself because that would require it to initiate and analyze traffic originating and terminating on the same host.
Network vulnerability detection requires the scan to originate from a separate machine on the network in order to properly evaluate exposed services and ports. When a probe attempts to scan itself, this external perspective does not exist, and therefore network vulnerabilities cannot be validated correctly.
Using a second probe allows the target probe machine to be assessed from a separate host on the network, which enables accurate detection of network-based vulnerabilities and proper reporting in the portal.
Recommended Minimum Hardware Requirements
Probe Agent (Network Scan Agent) | |||
|---|---|---|---|
Windows | MAC | Linux | ARM |
|
|
|
|
Lightweight Agent (default) | |||
|---|---|---|---|
Windows | MAC | Linux | ARM |
|
|
|
|
The lightweight agent is only scanning the asset on which it is installed | |||
Agent Data Collection Process
Upon installation, the ConnectSecure Vulnerability Scan Agent securely transmits system data to the ConnectSecure Portal using the methods mentioned below.
For Windows probes, the SMBv2 protocol is used to communicate with remote assets on the allowed network. The Admin$ share collects data requiring write, read, and execute privileges.
For Mac probes, SSH is the preferred communication method for fetching data from remote assets, with Linux commands for fetching details.
For VMware assets, SSH is the preferred communication method to fetch data from remote assets using Linux commands to fetch details.
For Network Devices, the agent uses SNMP (V1/V2/V3) to collect information.
For Firewall Devices, the agent offers credentials and API-based integrations for deeper scanning.
Asset Type | Protocol | Port(s) |
|---|---|---|
Windows Probe Agent | SMBv2 | 445 |
Linux Probe Agent | SSH | 22 |
Mac Probe Agent | SSH | 22 |
VMWare | SSH | 22 |
Network Devices | SNMP (V1, V2, V3) | 161/162 |
Windows Asset Discovery Method
Establish an SMB connection to the remote host.
Copy the paexec binary to the ADMIN$ share on the remote host. The ADMIN$ share is a built-in administrative share that provides administrative access to the root of each drive on a Windows machine.
Create a service on the remote host using the paexec binary. This service is responsible for executing the desired process or command.
Start the service to initiate execution of the remote process.
After the agent execution process completes, stop and remove the paexec service from the remote host.
Remove the paexec binary from the ADMIN$ share of the remote host.
Linux and VMWare will require the probe agent to have sudo privileges to fetch data remotely via the SSH protocol.
VMWARE HOSTS - The private key field is for SSH key-based authentication, which is not a mandatory field; either a password or key can be added to scan the remote host when adding VMWARE creds.
SNMP vs. SSH for VMware Monitoring
What’s the difference between using SNMP and SSH credentials when monitoring VMware environments?
• SNMP (Simple Network Management Protocol) collects basic system metrics like CPU usage, memory stats, and network interface details. It’s lightweight but limited in depth.
• SSH (Secure Shell) provides deeper access, allowing collection of detailed system configurations, software versions, and security settings—ideal for thorough vulnerability assessments.
Recommendation:
For more comprehensive visibility into your VMware systems, SSH credentials are preferred over SNMP.
How the Probe Collects Device Data
Our probe collects device information using multiple methods, depending on the protocols and access available on the target device. Below is a breakdown of the key data typically gathered and the techniques used to retrieve it.
SNMP (Simple Network Management Protocol)
When SNMP is enabled and properly configured, the probe can collect the following data—based on the device’s :
• OS Name (if available)
• OS Build (if available)
• Device Type (if available)
• Hostname (if available)
• System OID (Object Identifier)
These details are retrieved directly from SNMP responses using the device’s.Nmap Scanning
Nmap is used for active scanning and service enumeration. It provides:
• MAC Address (if available)
• Hostname (if resolvable)
• Open ports and associated services
• Detection of devices using default SNMP community strings
• Basic vulnerability checks (via built-in Nmap scripts and brute-force modules)Fingerprinting
If SNMP is inaccessible, the probe uses fingerprinting to infer data based on network responses. This may include:
• Hostname
• MAC Address (if available)
• OS Guess
• Manufacturer (if MAC address is available)
• OS Name and OS Build (if determinable)MAC Address and Manufacturer Identification
To determine MAC address and manufacturer, the probe uses:
• Nmap scanning to retrieve the MAC address
• Fingerprinting to infer the manufacturer
• Cross-referencing MAC addresses against known vendor databases for confirmation
ConnectSecure’s probe does not rely solely on ping sweeps. It starts with TCP port discovery using SYN/connect scans on IANA-standard ports to identify active hosts and listening services. Once responsive ports are detected, it performs service and version detection, followed by targeted Nmap Scripting Engine (NSE) scripts to gather detailed application and protocol information. If credentials are provided, the probe conducts authenticated scans to detect OS and application-level vulnerabilities and misconfigurations. In addition to these methods, the probe also supports NCR, OMR, and X-ray scanning techniques for deeper inspection and analysis.
Port Requirements for Asset Discovery and Vulnerability Detection
When a Probe Agent is deployed, it initiates a port scan across any configured discovery ranges or IP addresses. If relevant ports are detected, the agent proceeds to identify the asset and assess potential vulnerabilities.
Agent Requirements
To ensure successful scanning and asset identification:
Port scanning must be allowed from the agent machine.
The required ports listed must be accessible from the agent to the target assets.
SERVICE | PORT | PROTOCOL |
|---|---|---|
WINDOWS ASSETS | ||
SMB | 445 | TCP |
NetBIOS | 137-139 | UDP/TCP |
ACTIVE DIRECTORY | ||
LDAP | 389 | TCP/UDP |
LDAPS | 636 | TCP |
SMB | 445 | TCP |
DNS | 53 | TCP-UDP |
LINUX & MAC ASSETS | ||
SSH | 22 | TCP |
NETWORK DEVICES | ||
SNMP | 161 | UDP |
SNMP Trap | 162 | UDP |
SNMPv3 | 161 | UDP |
VMware ASSETS | ||
vCenter Server / ESXI (HTTPS) | 443 | TCP |
vCenter Server (Web Client) | 9443 | TCP |
vSphere /ESXI (SSH) | 22 | TCP |
The probe scans 3,500 internal ports on discovered assets to detect protocols, services and vulnerabilities. This provides broad coverage without overwhelming the network.
Agent Proxy Support
Please use the options below with your Agent install method to support proxy. The -p switch is to be added to the end of your agent installer. See below for example:
-p username:password@IPaddress or Hostname:port
e.g. -p user:pass@proxy.example.me:3128
For unauthenticated Proxy
-p IP address or Hostname:port
e.g. -p proxy.example.me:3128
./cybercnsagent.exe -c ██ -e ███████████ -i -p <USERNAME>:<PASSWORD>@<IPADDRESS>:<PORT>;
Supported Operating Systems
ConnectSecure Agents can only be installed on x64-bit operating systems, except when using the 32-bit ARM installation.
Apple Silicon (ARM64) devices—including M1, M2, M3, and M4 chips—are supported via the macOS agent.
Windows on ARM (Qualcomm Snapdragon) is supported.
UBUNTU OS | |
|---|---|
Ubuntu 14.04 LTS | Trusty Tahr |
Ubuntu 16.04 LTS | Xenial Xerus |
Ubuntu 18.04 LTS | Bionic Beaver |
Ubuntu 20.04 LTS | Focal Fossa |
Ubuntu 22.04 LTS | Jammy Jellyfish |
Ubuntu 24.04 and Latest | Noble Numbat |
CENT OS | |
CentOS - 4.0 |
|
CentOS - 5.0 |
|
CentOS - 6.0 |
|
CentOS - 7.0 |
|
CentOS - 8.0 |
|
REDHAT LINUX OS | |
RHEL 4 | Nahant |
RHEL 5 | Tikanga |
RHEL 6 | Santiago |
RHEL 7 | Maipo |
RHEL 8 | Ootpa |
OTHER LINUX DISTROS | |
SUSE |
|
Rocky Linux |
|
Oraclelinux |
|
Gentoo Linux - In Progress |
|
Fedora |
|
Cloudlinux |
|
AWS Linux |
|
Alpine Linux |
|
Alma Linux |
|
DEBIAN OS | |
Debian 7 | Wheezy |
Debian 8 | Jessie |
Debian 9 | Stretch |
Debian 10 | Buster |
Debian 11 | Bullseye |
Debian 12 | Bookworm |
Debian 13 | Trixie |
MAC OS (Silicon CPU supported) | |
OS X 10.9 | Mavericks (Cabernet) |
OS X 10.10 | Yosemite (Syrah) |
OS X 10.11 | El Capitan (Gala) |
macOS 10.12 | Sierra (Fuji) |