- Do not install the operating system on a VMWare or VirtualBox virtual machine.
- There be must no other Scout, Soldier or Elite instance on the PC.
- DeviceInfo (it cannot be disabled from the console). It returns:
- installed operating system version;
- CPU architecture (32 or 64 bit);
- RAM (used and installed);
- installed applications;
- info about the user logged in;
- info about local date/hours.
- Screenshot. It returns:
When a computer is infected, the Scout
executable file is copied (after about 15 seconds) to the Windows
autostart folder. The silent installer that infected the PC stays in RAM
until the next system reboot/logoff and synchronizes with the
server, sending the collected data. When is loaded into memory, the
Scout checks if:
- the operating system is running in a Virtual Machine (VMWare or VirtualBox);
- the PC is running an Elite instance;
- the PC is running a Soldier instance.
If the PC is running an Elite instance
and the Scout executable file was run from the Windows Startup folder,
the Scout executable file is deleted from the PC; in all other cases the
process ends without further actions.
The Scout agent deals with:
- acquiring system data (DeviceInfo) and
saving a desktop screenshot. The screenshot module is active only if it
was enabled in the Console, during the factory building process;
!!! ⇒ The system data are sent only once for each Scout execution, whereas the screenshots are sent periodically.
- synchronizing with the server to send the collected data;
- receiving commands or updates from the server.
Synchronisation with the server
When the Scout process is run, after the
initial control procedures it waits for 5 minutes without performing
any task. After 5 minutes, the process starts again at the first user
activity detected (input from keyboard or mouse). Subsequently it
creates the synchronization thread that deals with exchanging data with
the server; if the server sent to Elite or Soldier an upgrade command,
the Scout instance is updated.
Synchronization occurs every 20 minutes
if the previous synchronization was successful; otherwise every 5
minutes a new connection attempt is done.
!!! ⇒ The synchronization timers cannot be edited by console.
Synchronization timers overview
- After 5 minutes since the application starts, plus any time of user inactivity (no input from the mouse or keyboard).
- After 20 minutes since previous successful synchronization.
- After 5 minutes since previous failed synchronization.
How to test the agent
Consider this recap as the starting
point for all your tests. We're always referring to the first stage of
the agent (Scout), using a silent installer. Remember that silent
installer should never be sent to the target as is, but one of your
field operators must run it directly on the target computer:
- prepare a clean system with no other agent installed;
- double-click on the silent installer;
- wait until the end of the agent installation (30 seconds should be enough).
At this point you can leave the session
open, log off or even restart the machine; the agent will run and will
restart at every user login.
In order to troubleshoot if the process is running, consider that:
- the task manager shows the process
with the original name (that obviously can be changed as you wish) until
the first logoff/reboot;
- the task manager shows the process with the disguised name for all the following sessions.
Every time the agent is started (directly or automatically), the first synchronization happens if:
- the agent is running (check via task manager);
- you wait for at least 5/6 minutes (with or without user interaction);
- you interact with the system pressing keys or moving the mouse;
- the target computer can reach the IP address configured during the agent build.
After that, other synchronizations occur every 20 minutes.
A recap to some common concerns:
- the 5 minutes interval and the user interaction are in place in order to allow the agent to avoid AV software detection;
- if you want to delete the silent
installer, you can just log off, log on again and then delete it,
otherwise you should use another vector like the self-deleting
- the agent will not run on virtual
machines, it is the standard behaviour from the beginning of the
product. If you succeeded in running it on a VM it was probably because
the agent wasn't able to recognize it;
- rebooting before the agent ends its
installation (30 seconds max) is not a common scenario, because the
silent installer must be used only by your field operator and he can be
instructed to wait enough;
- the scout is just an "explorer" that
checks if the system can be safely infected with the other stages, so it
is not intended to collect relevant data from the target machine.