RAR Architecture:
Functionalities comparison between direct and RAR agent
| S.No | Feature | Windows | Linux | Mac | RAR [Windows, Linux and Mac] Note: Functionalities are supported on rar, if it is available on direct agents. |
| 1 | Basic scans - Inventor | ✅ | ✅ | ✅ | ✅ |
| 2 | Tracking scans [Continuous Scan] | ✅ | ✅ | ✅ | ✅ |
| 3 | Anomaly detection Inline hooks, Kernel hooks, Suspicious threads, Registry discrepancies | ✅ | ✅ | ✅ | ✅ |
| 4 | Threat Detection Content Detection Rules/Reports | ✅ | ✅ | ✅ | ✅ |
| 5 | Risk score based on Thread content pack | ✅ | ✅ | ✅ | ✅ |
| 6 |
File Reputation Service File Intel ( 3rd Party Lookup) |
✅ | ✅ | ✅ | ✅ |
| 7 |
Live Connect Community Intel |
✅ | ✅ | ✅ | ✅ |
| 8 | Analysis of downloaded file | ✅ | ✅ | ✅ | ✅ |
| 9 |
Blocking Block an executable |
✅ | ✅ | ||
| 10 |
Agent Protection Driver Registry Protection / User Mode Kill Protection |
✅ | ✅ | ||
| 11 |
PowerShell, Command-line ( input) Report user interactions within a console session |
✅ | ✅ | ||
| 12 |
Process Visualization Unique identifier (VPID) for process that uniquely identifies the entire process event chain |
✅ | ✅ | ✅ | ✅ |
| 13 |
Agent Scan Snapshots Agents maintain history of unique and separate snapshots for all scans (manual & scheduled) |
✅ | ✅ | ✅ | ✅ |
| 14 |
Agent Management via Group Policy Easily manage configuration and setting options for groups of endpoint agents by specifying policies |
✅ | ✅ | ✅ | ✅ |
| 15 |
Endpoint APIs A set of REST APIs for hosts and files. Additional APIs are available in later 11.x releases. |
✅ | ✅ | ✅ | ✅ |
| 16 |
Host Isolation / Containment Control the spread of an attack by isolating the host from the network. While isolated, all events are still reported to the Endpoint Server. |
✅ | ✅ | ||
| 17 |
Automatic File Download Automatically download new modules when first seen |
✅ | ✅ | ✅ | ✅ |
| 18 |
MFT Download - All Drivers (Applicable only for Windows) Download Master File Table for analysis |
✅ | |||
| 19 |
System Memory Dump Download entire host memory for analysis |
✅ | |||
| 20 |
Process Memory Dump Download memory for specific process for analysis |
✅ | |||
| 21 |
Manual File Download Download _any_ file(s) present on host by full file path/filename |
✅ | ✅ | ✅ | ✅ |
| 22 |
Wildcard File Download Download _any_ file(s) present on host with wildcards (*) for file path and/or filename |
✅ | ✅ | ✅ | ✅ |
| 23 |
Agent History View history of commands issued to and processed by agents |
✅ | ✅ | ✅ | ✅ |
| 24 |
Throttle Network Bandwidth for Log Collection Limit network bandwidth usage for agents when collection/sending Windows & Flat File logs |
✅ | ✅ | ||
| 25 |
Enhanced Network Visibility (ENV) Network events enriched with endpoint data, such as source host and process, username, risk score, and other host details |
✅ | ✅ | ||
| 26 |
Throttle CPU for Manual Scans Analysts can use CPU Maximum slider to select CPU percentage so that the agent can limit the usage to the specified range |
✅ | ✅ | ✅ | ✅ |
| 27 |
Upgrade/Uninstall agent via UI Upgrade and/or uninstall agents from Netwitness UI |
✅ | ✅ | ✅ | ✅ |
| 28 |
Yara Scans on server Perform Yara scans on automatically-downloaded files/modules |
✅ | ✅ | ✅ | ✅ |
| 29 |
Create and Group by Custom Tags Create tags for _any_ specific agent(s), and leverage those tags in Endpoint Groups/Policies |
✅ | ✅ | ✅ | ✅ |
| 30 |
Save multiple local copies of downloaded files at once Analysts can download and save multiple files from the UI at once |
✅ | ✅ | ✅ | ✅ |
| 31 |
Forward Windows/File logs Administrators can collect Windows and File logs on non-VLC systems by forwarding to a custom system |
✅ | ✅ | ✅ | ✅ |
| 32 |
Full System Scans Analyst can request for full scan of Disk. |
✅ | ✅ | ✅ | ✅ |
| 33 |
Opswat Meta scan Integration Opswat Meta scan Integration provides the ability to perform simultaneous analysis of files with Multiple Anti-Malware Engines. |
✅ | ✅ | ✅ | ✅ |
| 34 |
Yara scan on endpoint agent Analyst can trigger Yara scan on selected endpoint agents. |
✅ | ✅ |
