Troubleshooting

General Control

During the agent installation sometimes users are faced with various issues. The most common issues are listed and explained how to fix them.

• Network Communication Problem: Commonly, the network team is not permitted to access the portal and ports. Please double-check the permissions before installation.

• Security Applications Problem: Sometimes the antivirus/EDR solutions can stop or block the agent services. Please make sure exclusions are provided.

• The Portal Misconfigurations: Sometimes, during the deployment process, the parameters can be left empty. Please contact CyberCyte IT support for the solution.

• The Agent Data Collection: If the agent is working but no data is coming to the portal, please check the policies and groups. Sometimes users can forget the policy assignment.

• Checking the Portal: Sometimes users deploy the agents but the agent show no notification on the machine. That's why sometimes users think the agent is not installed properly. In that case, we suggest to check the portal after deployment. Please navigate to "Asset Management" -> "Endpoint Management" on the portal and check if the device has appeared on the grid. If it is not, then users should troubleshoot the problem.

If the agent installation is finished and further analysis is needed for troubleshooting, please navigate to this link below:

Windows

Once the agent is installed, two services are installed:

• PMService: This service performs updates for the agent.

• ICSFAgentService: This service executes all agent functions. When this service is restarted, the agent re-initiates artifact collection policies and registers itself to the server.

The below files and folders can be used for Troubleshooting:

• C:\Program Files\ICSFAgentService\logs\<>.txt: This is the main file used by the agent to write any exception.

• C:\Program Files\ICSFAgentService\logs\<folder>: Every module and major artifact collector of the agent creates separate log files, which could be needed for Troubleshooting.

• C:\Program Files\ICSFAgentService\debug.txt: When set to true and the ICSFAgentService is restarted, more detailed logging is enabled.

• C:\Program Files\ICSFAgentService\ICSFAgentService.url.txt: The main URL agent-server communicates is written here if it needs to be checked for Troubleshooting.

• C:\Program Files\ICSFAgentService\files\collector\<Collector Name>_<Logs/Results/Settings>.txt: Every artifact collection type creates three files under this folder. The settings, log and the last result are available for Troubleshooting.

• C:\ProgramData\ICSFAgentService\PolicyExecutionTime.json: When LastExecutionTime set to "", the collection can be initiated instantly.

• C:\ProgramData\ICSFAgentService\Event Logs Collections: Security logs to be sent to server is stored in this folder.

• C:\ProgramData\ICSFAgentService\Sysmon Logs Collections: Sysmon logs to the server are stored in this folder.

• C:\ProgramData\ICSFAgent\Thor\ThorPolicyExecutionTime.json: When LastExecutionTime is set to "", Thor collections can be started immediately.

• C:\ProgramData\ICSFAgent\Sysmon Settings: Sysmon settings are stored in this folder.

• C:\ProgramData\ICSFPackageManager: Software deployments are managed through this folder.

• C:\ProgramData\PMService: Package manager settings are stored in this folder. The file is encrypted.

Also, please check the machine and server communication with ping, curl, or other tools.

Linux

For Troubleshooting the agent first of all we need to check the status of the "CyberCyteAgent" with this command:

• systemctl status cybercyte_linux_agent.service -> This command gives us the information about the service status.

For further troubleshooting, we can check the logs in the /opt/CyberCyteAgent/logs directory it will give us the both collector and service logs under the directories.

cd /opt/CyberCyteAgent/logs -> Navigate the log files

/opt/CyberCyteAgent/CyberCyteAgent --version -> Get the agent version

Also, please check the machine and server communication with ping, curl, or other tools.

macOS

/Library/Application Support/CyberCyteAgent/logs-> For logs and temporary files

cd “/Library/Application Support/CyberCyteAgent/logs” -> Navigate the log files

/Library/Application Support/CyberCyteAgent -> For config files, settings files, and files are not temporary

/usr/local/bin/CyberCyteAgent -> This is the executable of the agent

sudo /usr/local/bin/CyberCyteAgent --version -> Get the agent version

ps -ef | grep /usr/local/bin/ CyberCyteAgent -> Check if the agent is running.

Also, please check the machine and server communication with ping, curl, or other tools.