Endpoint Monitor & Scan

The Endpoint Monitor is part of the Insight Agent in scan mode that acts as a scanner to query assets across the network from the Collector. It collects the same data as the Insight Agent in persistent mode (processes, local accounts, event log deletions), but it is not real time; it runs approximately once per hour and cannot see systems that leave the network.

However, the endpoint monitor and scan is not able to detect the following:

  • exploit mitigated
  • honey file accessed
  • local honey credential privilege escalation attempt
  • protocol poisoning detected
  • remote file execution detected

Preparing Collectors for Endpoint Scanning

For endpoint scanning, a Collector can be configured with only one endpoint scanning credential. Therefore, if you have multiple domains or other requirements for separate credentials that need to be used for scanning different endpoint ranges, you should plan on a separate Collector for each domain/set of credentials. If you have a firewall or web proxy that restricts outgoing connections, you need to grant permission for the Collector to be able to connect to the backend servers. You will also need to prepare Service Accounts.

Read specific instructions on how to configure endpoint scanning in Setting up the Endpoint/Asset Scan.

Bandwidth impact

For most environments, there is no noticeable bandwidth impact because the scanner enforces a 30-minute cool down period between each scan. Since a typical scan takes between 30-60 minutes, each asset is generally scanned only every hour or two. For extremely low-bandwidth environments, bandwidth can be a consideration. The Endpoint Scan takes about 300kb per asset per scan to gather endpoint information. If the Endpoint Scan is deployed, there is an additional 10MB transfer per scan. So for environments with tight bandwidth constraints, it may be preferable to turn off the Endpoint Scan functionality.

IPs / CPU
Time between scans of each endpoint

1-16,000

1 hour per scan

16,000-32,000

2.5 hours per scan

32,000-64,000

5-8 hours per scan

Scanning with multiple endpoint/asset scans

For some network topologies, it makes sense to configure multiple Endpoint/asset Scans to share the responsibility for scanning the entire network. A single collector can handle about 16,000 endpoints scanned per CPU that it has available. For very large deployments, multiple Endpoint/asset Scans should be configured to split up the work. The number of IPs scanned per CPU is defined by the IP ranges set up in the endpoint monitor configuration in https://insight.rapid7.com.

For the Endpoint/asset Scan to work, it must be able to establish a WMI (Windows) or Secure Shell (SSH) (Mac) connection with the endpoints, and the endpoints must be able to initiate a connection back to the collector somewhere in the 20000-30000 port range. Firewall rules may require that more than one Endpoint/asset Scan be configured so that the endpoints can be reached by the Endpoint Scan’s collector.

Each collector is only responsible for a single scanner per OS type, so each is configured to have a single Windows and a single Macintosh Endpoint Scan. In order to deploy multiple Endpoint Scans of the same OS type across a network, a host machine collector is set up for each.

Windows and Linux collectors can be used to host Windows and Mac Endpoint Scans.

Warning!

You may accidentally configure the endpoint monitor to scan too many assets. Be cautious with /8 and /16 subnets.

Troubleshooting

Endpoint and Collector Requirements:

  1. All collectors must be
  2. Each Collector can contain no more than one set of endpoint credentials. Ex. if you have two
    sets of endpoint credentials you must have at least two Collectors.
  3. Endpoint credentials should include the domain in addition to the username. Ex. domain\username
  4. All endpoints need to be able to communicate back to the collector via TCP on collector ports:
    • 5508
    • 6608
    • range 20,000 - 30,000
  5. Overlapping endpoint monitoring ranges are not allowed. IP addresses or IP ranges defined on Collector A should not be duplicated on Collector B. If this exists, it should be updated as soon as possible.

When if you do not see endpoints returning logs in their scans or from the Insight Agents, confirm that all ports are available as expected. If the external firewall and web proxies are configured correctly, check a sample endpoint for agent log files. For the agent in scan mode, there should be a Rapid7 folder in either:

  • C:\Windows\Temp\, or
  • C:\Users\\AppData\Local\Temp\

For the Insight Agent installed and working in "persistent mode," the Rapid7 folder should be found in c:\program files(x86)\

Inside the Rapid7, folder look for the following 3 files and send them to engineering if available for review:

  • agent.log
  • config.json
  • powershell.log

Scan Log Results

At the end of each scan, the endpoint monitor will report the results of the scan in the collector.log. Use a command similar to the below to see the results:

2015-08-24 17:03:04.943 INFO win-endpoint-monitor-scheduled-scan-00 com.rapid7.razor.collector.endpointmonitor.AbstractEndpointMonitorDataSource:203 - bulk scan total statistics for all ranges: BulkAssetScanStatistics{totals=ScanStatistics{success=192, domainController=2, unavailable=70570, error=324, badCredential=13, timedOut=187, ipsScanned=71086}, totalScanTime=13435777}
2015-08-24 17:03:04.943 WARN win-endpoint-monitor-scheduled-scan-00 com.rapid7.razor.collector.endpointmonitor.AbstractEndpointMonitorDataSource:224 - Failed to scan 10.1.150.108 and 123 other asset(s): com.rapid7.net.wmi.exception.WMIException: Message not found for errorCode: 0x80041003

Error Codes

  • unavailable means there was no machine listening on the IP that was attempted. There may be a firewall blocking the connection, that part of the network is unreachable, or there are simply no machines running on that IP address.
  • badcredential means there was an attempt to connect to the endpoint but the attempt was denied.
  • error means an error code was received from the endpoint during attempted communication
  • timedout means that a connection was established but no response was received.

0x80041003

An endpoint returning error 0x80041003 means that the endpoint does not allow remote WMI queries. To fix this, do the following:

  1. On the endpoint either run wmimgmt or go to Computer Management under Administrative Tools.
  2. Next, right click WMI Control (Local), go to Properties, go to the Security tab.
  3. Open root and highlight CIMV2.
  4. Click Security and add the credential you configured in the endpoint monitor.
  5. Make sure to grant:
    • Execute Methods
    • Enable Account
    • Remote Enable

Endpoint Monitor & Scan