Technical details on Windows agent

Installation and uninstallation of the agent

Windows installation package comes under the form of a .msi file. This package follows Microsoft official recommendations regarding installation file creation.

Agent MSI is generated directly from the Cyberwatch interface, using the Windows agent creation form. The MSI is loaded with the selected configurations from the form in Cyberwatch, such as: the architecture type, groups, Cyberwatch instance URL…

It is also possible to get the installers directly through these download links:

• Windows Server 2003 & Windows 7: 32 bits version or 64 bits version.
• Windows Server 2008: 64 bits version.
• Windows Server 2012 / 2016 / 2019 / 2022 & Windows 10: 32 bits version or 64 bits version.

Once installed, a program is added to the the list of programs and features available through the control panel.

The MSI can be installed with a simple “double click” on the file, as any other installation file. For bulk deployment, the agent supports official Microsoft deployment methods such as GPOs but also any other deployment mechanism using third-party solutions (e.g. SCCM, Chocolatey…).

Uninstalling the Cyberwatch agent also follows official Microsoft recommendations. The agent can be uninstalled from the list of program and features of the control panel.

How the agent works

On Windows systems, agent installation will create a service named CyberwatchAgent.service and a directory C:\Program Files\CYBERWATCH SAS\CyberwatchAgent\.

This directory contains the following elements:

• a logs/ directory gathering the agent logs in two separate files:
  • a file agent.log for the agent execution logs;
  • a file service.log for the service execution logs;
• the file agent.conf contains the agent configuration information (URL, API keys…);
• executable file cyberwatch-agent.exe execution program of the agent;
• executable file CyberwatchService.exe, used for the service creation;
• a PowerShell script launcher.ps1 called by the service, and responsible for launching the file cyberwatch-agent.exe.

The service CyberwatchService is executed every 5 minutes and triggers the communication of the agent with the Cyberwatch scanner to which it is registered, based on the URL configured than can be found in the file agent.conf.

When communicating with the Cyberwatch server, the agent will simply send a request to the Cyberwatch API and fetch the tasks, if any, that has to be performed on the asset (e.g. launch a scan, deploy a patch…).

Agent updates

Cyberwatch regularly publishes agent updates, these changes are all listed in the changelog of the Cyberwatch agent.

These updates can include improvements on performance or some new features related to the agent installation and functioning for example.

These updates are not linked to the Cyberwatch application updates, an older agent version not updated will still work with the upcoming Cyberwatch versions (unless specifically indicated). Cyberwatch still recommends to update installed agents whenever it is possible.

To update the Windows agent, it is only needed to reinstall the MSI package over an already present installation. The new agent version will then replace the version previously present on the system. These updates can also be performed using the bulk deployment methods mentioned above.

Please note that if the agent update is done after a management server change, and before installing the new Cyberwatch agent, it will be necessary to take care about deleting all the elements that belongs to the old agent previously installed to avoid configuration issues. The following elements have to be deleted:

• those found in C:\Program Files\CYBERWATCH SAS\CyberwatchAgent.
• the associated register keys.

Deploy the agent via GPO (optional)

This procedure has been tested on a Windows 2019 server, details may vary according to the version used. In this page, we will use the more commonly used term GPO for the Group Policy Preferences (GPP) to be defined.

The following procedure can be used to install the Cyberwatch agent using a GPO and the task scheduler to avoid restarting your assets:

1. Download the Cyberwatch agent MSI file from Assets Management > Agents > Add.

2. Create a shared folder to store the Cyberwatch agent MSI file and the deployment batch script.

   The script content (.bat file) is as follows asset (ajust the script with the path to the MSI file):

    @ECHO OFF
    if EXIST "C:\Program Files\CYBERWATCH SAS\CyberwatchAgent\cyberwatch-agent.exe" ( 
    echo "Cyberwatch Agent is present" 
    ) else ( 
    msiexec /qn /i "\\Server\PathTo\cyberwatch_agent-x64.msi" )
   

   This script checks the presence of the Cyberwatch agent on the machine and silently installs it if it is not installed.

3. On your Domain Controller server, open Group Policy Management and create a GPO under your domain.

4. Edit the newly created GPO to open the Group Policy Management Editor.

5. Under “Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks”, create a new scheduled task (At least Windows 7) with the following configuration:

   • General tab: give the task a name and use the “NT AUTHORITY\System” account when running the task.
   • Triggers tab: add a trigger according to your preferences.
   • Actions tab: add a “Start a program” action and select the .bat file created earlier.

6. Link the GPO to an OU or to your domain from Group Policy Management.

Once the GPO applied to the clients, a scheduled task will be created to run the deployment script.