Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FireEye Enterprise Security as Antivirus #322

Open
matthias-schlimm opened this issue Aug 3, 2021 · 1 comment
Open

FireEye Enterprise Security as Antivirus #322

matthias-schlimm opened this issue Aug 3, 2021 · 1 comment
Assignees
@matthias-schlimm
Labels
Type: Enhancement

Comments

@matthias-schlimm
Copy link
Collaborator

Installing Agents Using a Golden or Master Image

You can use a master or golden image to deploy the FireEye Endpoint Security software to
multiple physical or virtual host endpoints in your enterprise. When you install the
FireEye Endpoint Security software on an endpoint, the agent creates a private key, using
information from the endpoint, to encrypt and decrypt all agent data. After installation,
agent services will not start unless the private key is decrypted and matches the
information on the endpoint where the agent was installed.
A unique agent ID must also be created for each endpoint on which the golden or master
image is deployed. Otherwise, all of the endpoints deployed using that image will
provision with the Endpoint Security Server using the same agent ID, causing a cloned
agent problem in your Endpoint Security environment.

Endpoint Security Agent Deployment Guide CHAPTER 7: Installing the Agent Installation Package
70 © 2020 FireEye
Release 32.30.0 Installing Agents Using a Golden or Master Image

IMPORTANT: For the Endpoint Security Server and Endpoint Security Agent
software to communicate properly, each host endpoint must be assigned a
unique agent ID. If the Endpoint Security Server reports the presence of cloned
agents in your Endpoint Security environment, read "Resolving Cloned
Agents" in the Endpoint Security Server User Guide.
This section describes how to use a golden or master image to install the Windows or
Linux agent software to multiple physical or virtual host endpoints and ensure a private
key and a unique agent ID are created for each agent.
NOTE: Windows agent support for master or golden images is provided in
FireEye Endpoint Security Agent version 20 or later versions.
Linux agent support for master or golden images is provided in FireEye
Endpoint Security Agent version 25 or later.

Installing Windows Agents Using a Golden or Master Image

Follow the steps in this section on the windows system that you are preparing to use as a
golden image that can deploy the FireEye Endpoint Security Agent software to multiple
physical or virtual host endpoints.
These instructions are only required if you are using Sysprep, or something similar, for
your golden image. If you are not using Sysprep, then you can just use INSTALLSERVICE=2
to install the agent.

To use a master or golden image to install the agent software on your Windows
endpoint:

  1. Extract the msi file and agent_config.json file to a directory.
  2. Install the agent with the INSTALLSERVICE=2 option.
    msiexec /i INSTALLSERVICE=2
    By selecting option 2, you are installing the agent in service mode and preventing
    the agent from automatically starting the agent service after installation. If you do
    not use option 2, all of the endpoints deployed using the golden or master image
    will report to the Endpoint Security server using the same agent ID.
    © 2020 FireEye 71
  3. In the directory where you extracted the msi file and the agent_config.json file, create
    a file called setupSchTasks.cmd and add the following text to that file:
    schtasks /create /ru SYSTEM /sc ONSTART /TN "FireEye\Configure xAgent"
    /tr "cmd.exe /c sc config xagt start= demand"
    schtasks /run /TN "FireEye\Configure xAgent"
    schtasks /delete /TN "FireEye\Configure xAgent" /f
    echo "Delete the agent cryptographic keys"
    rd /s /q C:\ProgramData\FireEye\xagt\xacs
    del C:\ProgramData\FireEye\xagt\main.db
    copy agent_config.json c:\ProgramData\FireEye
    copy ProvisionxAgt.cmd C:\ProgramData\FireEye
    schtasks /create /ru SYSTEM /sc ONSTART /TN "FireEye\Provision xAgent"
    /tr "c:\ProgramData\FireEye\ProvisionxAgt.cmd"
  4. In the same directory, create a file called ProvisionxAgt.cmd, add the following text
    to the file, and save it with ASCII encoding:
    @echo off
    IF ".%PROCESSOR_ARCHITECTURE%"==".AMD64" (
    "C:\Program Files (x86)\FireEye\xagt\xagt.exe" -i
    "C:\ProgramData\FireEye\agent_config.json"
    ) ELSE (
    "C:\Program Files\FireEye\xagt\xagt.exe" -i
    "C:\ProgramData\FireEye\agent_config.json"
    )
    sc config xagt start=auto
    sc start xagt
    schtasks /delete /TN "FireEye\Provision xAgent" /f
    del "C:\ProgramData\FireEye\agent_config.json"
    del "C:\ProgramData\FireEye\ProvisionxAgt.cmd"
  5. At the command prompt, run the setupSchTasks.cmd file as an administrator.
    You can now use this system as a golden image. When the system boots for the first time,
    the scheduled task ProvisionxAgt.cmd runs. This task starts the provisioning process and
    will provision all systems deployed for the golden image.
    If you reboot your golden image to update it, then you must uninstall the agent and use the
    above steps to reinstall it.
@matthias-schlimm matthias-schlimm self-assigned this Aug 3, 2021
@Richgang18
Copy link

For sale?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthias-schlimm matthias-schlimm

Labels
Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthias-schlimm @Richgang18