Using Application Behavior Investigation on the Remote Agent

 < Day Day Up > 

The application behavior investigation process on the remote agent is a nonintrusive mechanism. The agent continues to function normally while all normal agent interaction occurs. The only difference is that while an investigation is running on the selected agent, all interaction regarding the application being monitored is logged for further reporting and investigation at the central management console after the job is concluded.

The sample investigative process for this scenario watched winword.exe. During the time the job was running on the selected agent system, the application was fully tested by an individual and has all the desired functions, including reading and writing files to specific directories.(See Figure 11-4.) Such features as printing, importing, network access, and so on were available.

Figure 11-4. Normal Agent Interaction


Also, recall that during the configuration of the analysis job, you had to make a decision about whether to have the policies on the endpoint enforced during the analysis, which would possibly prevent the processes from certain system interaction during the investigation. If you choose to leave restrictive policies enabled that may have affected the usability of this application, you might not have received a complete view of the resources required by the application because any resource access that was prevented would not have shown up in the analysis report. This fact does not necessarily dictate that you should always disable policies during investigation, however, because it is common to run investigations on applications that are not yet trusted and could negatively impact the security of your network.

The application behavior investigation process creates several associated files on the local agent system, as shown in Figure 11-5. These files are located in the \CSAgent\log\ directory and are named according to the CSA MC analysis job name with various file extensions.

Figure 11-5. Local Files Created During the Investigation


Other than the files created on the local agent and a few entries in the \CSAgent\log\csalog.txt file, there is no real indication that an investigation is occurring on the endpoint. A few event log entries included on the CSA MC provide insight into the investigation. These entries are as follows, as shown in Figure 11-6:

  • Logging for analysisnamehas started This entry in the event log denotes that the agent has received the analysis request and is about to begin collecting data.

  • Logging for analysisnamehas ended This entry in the event log indicates the agent has completed the investigative process.

  • Log files for analysisnamewere sent to the analysis workstation This event is entered into the event log when the remote agent has completed the analysis and the files have been transmitted to the CSA MC.

  • Logging ended without collecting data for analysis jobname This is an indication that the investigation was unsuccessful and typically means the application was not executed during the timeslot available. You may need to verify time synchronization, application class definition, and availability of the remote agent in addition to other factors.

Figure 11-6. Associated Event Log Entries


     < Day Day Up > 


    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net