Windows Installation
Pre-Requirements
The CyberCyte' s Windows agent is requires Microsoft .NET 4.7.2 or above version. Please download the latest .NET version with this link below:
MS .NET Framework Offical Website: https://dotnet.microsoft.com/en-us/download/dotnet-framework
If the agent will be run on the older devices, please check out the compatible operating systems with this link below:
MS .NET Framework Compatibility List: https://learn.microsoft.com/en-us/dotnet/framework/get-started/system-requirements
The CyberCyte Windows agent supports the Windows operating systems listed below:
Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025
The Agent Deployment
Go to "Settings & Reporting" -> "Deployment Settings", then click on "Download". The executable Windows agent should be started after that. Once it is downloaded, click to run the executable, and when it is done, the machine data will be added to the portal.
Once the agent is deployed, please check that the initial data is being populated. Initial Sysmon data can take up to 15-20 minutes to be available within the system based on the configured parameters. Autoruns, processes, inventory data, and device information are available for Windows agents.
For Single Executable to Install:
"<path_to_custom_exe>" --silent --reinstallOnProblem --install --versioncheck=true
For Single MSI to Install:
msiexec /i "<path_to_msi_package>" /qn /norestart REINSTALL_ON_PROBLEM=true URL="<URL>" PROXY_URL="<PROXY_URL>" PROXY_USERNAME="<PROXY_USERNAME>" PROXY_PASSWORD="<PROXY_PASSWORD>" /l*v "C:\ProgramData\install_log.txt
It automatically installs required applications and services on the client's machine.
PMService: Responsible for agent package updates and ensures agent service is running.
ICSFAgentService: Collects data from the client and executes actions. Monitored by PMService and started if stopped automatically.
After installing PM Service, it automatically connects your instances, downloads the Windows Agent installer, and executes the installation process. Because PM Service downloads Agent Installer from download.cloudcyte.com, please ensure that client devices can access this domain and download .exe files from here.
Note: Both applications require .NET SDK 4.6 or newer version
Checking Installation
After installation of the agent, the agent registers itself automatically with the server. Please go to Asset Management →Device Management→Agent to see the agent. It may take a couple of minutes to appear device on this screen.
Agents should be able to access CyberCyte Server on Port 443 and https://download.cloudcyte.com websites. If the agent is not shown here, please check access to the portal on the client first. If the entry is successful, please wait for communication interval settings.
Agent Path and Services
Services
PMService
PMService
ICSFAgentService
ICSFAgentService
Main Executables
ICSFAgentService.exe
C:\Program Files\ICSFAgentService\ICSFAgentService.exe
PMService.exe
C:\Program Files\PMService\PMService.exe
EndPointDataCollector.exe
C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe
Note: Before starting the installation, please white list the below directories for the above three executables:
C:\ProgramData\PMService\ (and subdirectories)
In some cases, EDR/AV software does not allow directory-based whitelisting. In such a case, the below files should be permitted:
Sysmon Executable
C:\Windows\cyrthwinsys.exe
Sysmon Executable
C:\Windows<When-Other-Name-Used>.exe
ICSFAgentService.exe
C:\Program Files\ICSFAgentService\ICSFAgentService.exe
PMService.exe
C:\Program Files\PMService\PMService.exe
EndPointDataCollector.exe
C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe`
Agent Installer Installed By PMService
C:\Program Files\PMService\packages\windows agent\latest\files\ICSFAgentSetup.exe
Permit: C:\Program Files\PMService\packages\windows agent\latest\files\
PM Installer Installed By Agent
C:\ProgramData\PMService\Temp\PMInstaller*.exe
Permit: C:\ProgramData\PMService\Temp\
Agent Installer Installed By PMService
C:\Program Files\PMService\files\windows agent\WindowsAgent.exe
PM Uninstaller
C:\ProgramData\ICSFPackageManager\PMUninstaller.exe
ICSF Uninstaller
C:\ProgramData\ICSFAgent\ICSFAgentUninstaller.exe
Autorunsc Tool
C:\Program Files\ICSFAgentService\files\ps\sysinternals\autorunsc64.exe
Sigcheck Tool
C:\Program Files\ICSFAgentService\files\ps\sysinternals\sigcheck64_v2.90.exe
Web Shell Analyzer
C:\Program Files\ICSFAgentService\files\ps\webshell\wsa.exe
Sysmon Executable
C:\Program Files\THApplications\cyrthwinsys.exe
Sysmon Executable
C:\Program Files\THApplications\ .exe
Checking the Agent Status
Using Services:
Execute this command in the shell and check if ICSFAgent and PMService is running:
services.msc
Using CyberCyte Portal:
Go to the "Asset Management" -> "Endpoint Management" on the portal. All of the agents will be listed under this page.
Uninstalling/Disabling the Agent
IMPORTANT: The agent and package manager always checks each other and if one of the service is down or deleted, other service automaticly restores the other service. To delete them completely, you need to delete both of them one after the other.
Using Command Line:
Execute these commands in the command line:
For Single MSI to Uninstall:
msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn /norestart UNINSTALLOPTION=uninstallall /l*v "C:\ProgramData\PMService\uninstall_log.txt"For Single Executable to Uninstall:
"C:\ProgramData\PMService\PMUninstaller.exe" --uninstallallwithsysmon --silent
Using Control Panel:
Go to the Control Panel and click uninstall these two apps; "ICSFAgent" and "PMService"
Disabling the Agent:
Go to the "Asset Management" -> "Endpoint Management" on the portal. Right-click on the machine and disable the agent. This action only disables agent data collection, the agent will update itself but not collect any data.
Last updated
Was this helpful?