This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Endpoint 4.x Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness Endpoint 4.x experts.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Products
- NetWitness Platform
- Endpoint 4.x Knowledge Base
- StandAlone Scan
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
StandAlone Scan
Article Number
000033081
Applies To
RSA Product Set: ECAT
RSA Version/Condition: 4.1.x and higher versions
Platform: Windows
Product Name: RSA
Product Description: ECAT Agents
RSA Version/Condition: 4.1.x and higher versions
Platform: Windows
Product Name: RSA
Product Description: ECAT Agents
Issue
Purpose of the Standalone Agent Scan.
How to configure and what are ramifications (if any) when running on a compromised or infected system.
How to configure and what are ramifications (if any) when running on a compromised or infected system.
Task
Directions from the 4.1 ECAT User Guide (page 122)
Perform a Scan in Standalone Mode
If the client machine is not connected to a network and cannot communicate with ConsoleServer, a scan in stand-alone.
The mode can be performed.
This type of scan is performed manually on the client machine.
Use ECAT UI to generate a scan configuration file.
To generate the scan configuration file:
- Click Tools > Standalone Scan > Export Scan Configuration.
- (Optional) Select desired parameters.
- You have two options for scanning:
◦ Click Quick Scan or Full Scan under the Default tab of the Request Scan dialog box.
◦ If you wish to customize the categories or parameters for your scan, access the Advanced tab, select the desired options, and click Proceed.
- Enter a password to protect the scan configuration file and click OK.
Note: The password must be between 8 and 32 characters. It should be recorded for reference because it will be used later in the process.
- Navigate to the location where you want to save the file.
- Enter a filename and click Save.
- Transfer the scan configuration file to the client machine. This can be performed with a USB key or any other kind of media.
- Install the agent using the same package that would have been used for a normal agent installation.
Note: If the agent is already deployed, it does not need to be reinstalled. Any agent installation will work.
Once the agent is installed, start the stand-alone scan.
To start a stand-alone scan:
- Open a command prompt on the client machine.
- Locate the client .exe file in the folder C:\windows\system32.
The filename is the one provided in the “ECAT Service Name” field in the ECAT Packager.
- Run the .exe file in the command prompt using the following syntax:
ECAT /password <password> /scanfile <scan config file>
Where:
<password> is the password provided to ECAT UI when generating the scan configuration file.
<scan config file> is the path to the scan configuration file.
Wait until the “Scan completed” message is displayed.
- Transfer the result file back to the machine hosting ECAT UI for the import after the scan is completed.
Note: The file location is displayed in the command prompt.
To import stand-alone scan data:
- Click Tools > Standalone Scan > Import Scan Data.
- Navigate to the location of the scan data file and click Open.
- Enter the same password that was provided earlier in the process.
- The scan has now been queued and will be processed by ConsoleServer
Resolution
The reason for a stand-alone feature would make it possible to collect data from air-gapped machines and those that are disconnected from the network due to being infected with a virus or malware.
The scan is composed of two files.
The requested file is the configuration information needed to run the scan and the received file contains the results of the scan.
Both files are encrypted.
Contents of the results file are not executable, so they can be imported and processed by ECAT.
The scan is composed of two files.
The requested file is the configuration information needed to run the scan and the received file contains the results of the scan.
Both files are encrypted.
Contents of the results file are not executable, so they can be imported and processed by ECAT.
Tags (36)
- 4
- 4.1
- 4.1.x
- 4.x
- Customer Support Article
- ECAT
- Endpoint
- Helpful Hints
- How To
- Informational
- Instructions
- KB Article
- Knowledge Article
- Knowledge Base
- NetWitness
- NetWitness Endpoint
- NW
- NW Endpoint
- NWE
- Process Steps
- RSA ECAT
- RSA NetWitness
- RSA NetWitness Endpoint
- RSA NetWitness Platform
- RSA Security Analytics
- Security Analytics
- SIEM
- Tip & Tricks
- Tips and Tricks
- Tutorial
- Version 4
- Version 4.1
- Version 4.1.x
- Version 4.x
- Walk Through
- Walkthrough
No ratings
