Agent ModesAgent Modes
Note: The information in this topic applies to NetWitness Version 11.3 and later.
In NetWitness 11.3 and later, the Endpoint agent can operate either in Insights or Advanced mode depending on the policy configuration. For more information on policy configuration, see the NetWitness Endpoint Configuration Guide. You can have both Insights and Advanced agents in a single deployment.
There is no license required for the Insights agent. However, you must procure a license for an Advanced agent. For more information on licensing, see the Licensing Management Guide.
The following table list the features supported for Insights and Advanced agents:
| Feature | Insights Agent | Advanced Agent |
|---|---|---|
|
Full System Scan |
No |
Yes (agent version 11.6.1 or higher) |
|
Scan data - Processes, Autoruns, Files, Drivers, Libraries, and System Information |
Yes - Windows, Mac, and Linux |
Yes - Windows, Mac, and Linux |
|
Tracking data - Process, File, Registry, Network, and Console |
No |
Yes - Windows and Mac Registry and Console events are applicable only for Windows. |
|
Expanded network visibility |
Yes - Windows |
Yes - Windows |
|
Anomaly detection - Image Hooks, Kernel Hooks, Registry Discrepancies, and Suspicious Threads |
No |
Yes - Windows |
|
Windows log collection |
Yes |
Yes |
|
File log collection |
Yes - Windows |
Yes - Windows |
|
Threat detection content - ESA, Application Rules |
Yes |
Yes |
|
Analysis of downloaded file |
Yes |
Yes |
|
File status - Whitelist, Blacklist, Graylist, and Neutral |
Yes |
Yes |
| File remediate (Block) |
No |
Yes - Windows |
|
Process visualization |
No |
Yes |
| Live connect | Yes | Yes |
|
File reputation service (Third-party lookup) |
Yes | Yes |
|
Risk score for hosts |
No |
Yes |
|
MFT, process dump, and system dump download |
No |
Yes - Windows |
| Automatic file download | Yes | Yes |
|
Automatic Memory DLL Download |
No |
Yes |
|
Manual file download |
No |
Yes |
|
Network isolation |
No |
Yes - Windows |
| Relay server | Yes | Yes |
