The scan process involves two files:

  • Offline Scan Configuration - Contains the configuration information needed to run the scan.

  • Scan Results File - This contains the results of the Scan, which you can upload using the Scan > Upload Offline Scan File option on the Hosts view. This file will be imported and processed by NetWitness.

Standalone scan workflow:

flowchart_edited_1296x1144.png

Note: Both Download Offline Scan Configuration and Upload Offline Scan File options are available only on the Endpoint server view. These options can’t be accessed from Broker view.

Generate the scan configuration file

1. Click Scan > Download Offline Scan Configuration on the Hosts screen.

Scan.png

On the Download Offline Scan Configuration pop-up,

2. (Optional) Select CPU Maximum.

3. Enter a Password. (not more than 31 characters long)

4. Click Download.

Scanpw.png

5. Transfer the Offline Scan Configuration file to the air-gapped host.

Install Endpoint Agent and Register for Standalone Scan

  1. Install the Endpoint Agent on the air-gapped host. Refer to Endpoint Agent Installation Guide for more information.

  2. Register the agent for standalone scan (required only when an agent is installed)

    • If you are using a Windows machine, open command prompt in administrator mode and execute the following command:

      ServiceName.exe /standalone

      Example: NWEAgent.exe /standalone

    • If you are using a Linux machine, open the terminal as a root user and execute the following command:

      /opt/rsa/nwe-agent/bin/nwe-agent /standalone

Start a Standalone scan on Windows

  1. Open the command prompt in Administrator mode, on the air-gapped host.

  2. Execute the scan using the following command (syntax):

    ServiceName.exe /scan /password ”<password>” /scanfile "<filepath>”

    Example: NWEAgent.exe /scan /password "Abc123$" /scanfile "C:\Users\johndoe\Downloads\2021-12-06-Full Scan Configuration.scanfile"

    • <password> is the password entered while generating the Offline Scan Configuration File.

    • <filepath> is name of the scan configuration file with full path.

  3.  Wait until the scan is completed.
  4. Transfer the scan result file (password protected .zip file) to upload to the UI.

Start a Standalone scan on Linux

  1. Open the terminal as a root user, on the air-gapped host.

  2. Execute the scan using the following command (syntax):

    /opt/rsa/nwe-agent/bin/nwe-agent /scanfile "<file_path>" /password "<pwd>"

    Example: /opt/rsa/nwe-agent/bin/nwe-agent /scanfile "/home/ubuntu/Desktop/2024-02-04-Full Scan Configuration.scanfile" /password "abc@123"

  3.  Wait until the scan is completed.
  4. Transfer the scan result file (password protected .zip file) to upload to the UI.

Upload the Standalone scan result file

1. Click Scan > Upload Offline Scan File on the Hosts screen.

Scanpwfill.png

2. Click openicon.png and upload the scan result file.

3. Enter the same password that was entered while downloading the offline scan configuration file.

4. The Endpoint server will process the scan result file once successfully uploaded.

fulscansuccess.png

Note: Standalone agents can only be upgraded manually using the Endpoint agent packager. Refer to Generate an Endpoint Agent Packager on Endpoint Agent Installation Guide for more information.