Log In

Windows Installation

Pre-Requirements

The CyberCyte' s Windows agent is requires Microsoft .NET 4.7.2 or above version. Please download the latest .NET version with this link below:

MS .NET Framework Offical Website: https://dotnet.microsoft.com/en-us/download/dotnet-framework

If the agent will be run on the older devices, please check out the compatible operating systems with this link below:

MS .NET Framework Compatibility List: https://learn.microsoft.com/en-us/dotnet/framework/get-started/system-requirements

The CyberCyte Windows agent supports the Windows operating systems listed below:

  • Windows 10

  • Windows 11

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

Installation Settings

Please review the Windows agent parameters. They can be adjusted as needed, but it is recommended that the default values be kept. Please go to "Settings & Reporting" -> "Deployment Settings," then click "Configure Management Module." The duration can be set lower for small-scale deployments.

The "Latest Version Testing Interval (Days)" section is designed for agent update intervals. The agent will remain pending for the entered number of days and then update itself to the latest version.

The Windows Agent Settings

Parameter
Purpose

Communication Interval

The agent and the portal communication interval. It is based on minutes.

In-Depth Search Interval

Agents can in-depth search on machines and this is the search interval. It is based on minutes.

Remediation jobs Interval

The time interval that the agent gets the remediation info. If there is any remediation job assigned to the agent, the agent will get this information in that interval. It is based on minutes.

Virus Total Mininum Detection Count

Detection count for performing actions and analysis.

Maximum Number of Active Data Collectors

The active number of parallel collections, a lower number means lower source usage and the default value is min 3.

Kill Process on Malicious Detection

Set enabled for killing the processes on malicious detection.

Data Collection Servers

The Sensor address for collection of the data.

Enable Interactive Session for Agents

The interactive session permission for agents to connect to the machine to execute commands.

Interactive Session Interval (minutes)

Interactive session live time for logging out.

The Package Manager Settings

Parameter
Purpose

Update Check Interval (minutes)

The interval for the package manager to communicate with the portal to get and send the settings.

The Agent External Connection Settings

Parameter
Purpose

Enable Backup Server for Installation & Upgrade File Downloads

The option for backing up the server for installation and upgrading the files.

Enable External IP Address Check

The option for checking the external IP address of the machines.

Other options are not recommended in this situation, so there is no information about them on this page. But the settings are clear to understand that most of them are intervals of each collection loop or specifying the artifacts.

Once the intervals are entered, click on the "Save" button. The parameters can be set to 5 minutes for small-scale testing. The duration should be increased for larger-scale deployments.

Windows Threat Monitor Settings are specifically designed for monitoring process activity, honeypot accesses, file activity, and script executions. Default intervals should be like the image below, but please edit as per your system requirements.

The Agent Deployment

Go to "Settings & Reporting" -> "Deployment Settings", then click on "Download". The executable Windows agent should be started after that. Once it is downloaded, click to run the executable, and when it is done, the machine data will be added to the portal.

Once the agent is deployed, please check that the initial data is being populated. Initial Sysmon data can take up to 15-20 minutes to be available within the system based on the configured parameters. Autoruns, processes, inventory data, and device information are available for Windows agents.

For Single Executable to Install:

PMInstaller.exe –-silent

For Single MSI to Install:

"<path_to_msi_package>\<agent_version>_PMInstaller.msi" /qn URL="https://portal.cloudcyte.com/functions/443a489db9368c9a9f6238c1a47aacac" PROXY_IP_ADDRESS="" PROXY_PORT="" PROXY_USERNAME="" PROXY_PASSWORD=""

For Single MSI to Uninstall:

msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn UNINSTALLOPTION=uninstallAll /l*v "C:\ProgramData\PMService\uninstall_log.txt"

For Single Executable to Uninstall:

PMInstaller.exe --uninstall –-silent

For Setup Provided as a Zip File to Install:

PMInstaller.exe /exenoui /qn

For Setup Provided as a Zip File to Uninstall:

PMInstaller.exe /exenoui /x // /qn /quiet

It automatically installs required applications and services on the client's machine.

PMService: Responsible for agent package updates and ensures agent service is running.

ICSFAgentService: Collects data from the client and executes actions. Monitored by PMService and started if stopped automatically.

After installing PM Service, it automatically connects your instances, downloads the Windows Agent installer, and executes the installation process. Because PM Service downloads Agent Installer from download.cloudcyte.com, please ensure that client devices can access this domain and download .exe files from here.

Note: Both applications require .NET SDK 4.6 or newer version

Checking Installation

After installation of the agent, the agent registers itself automatically with the server. Please go to Asset Management →Device Management→Agent to see the agent. It may take a couple of minutes to appear device on this screen.

Agents should be able to access CyberCyte Server on Port 443 and https://download.cloudcyte.com websites. If the agent is not shown here, please check access to the portal on the client first. If the entry is successful, please wait for communication interval settings.

Agent Path and Services

Services

Service Name
Display Name

PMService

PMService

ICSFAgentService

ICSFAgentService

Main Executables

Process Name
Full Path

ICSFAgentService.exe

C:\Program Files\ICSFAgentService\ICSFAgentService.exe

PMService.exe

C:\Program Files\PMService\PMService.exe

EndPointDataCollector.exe

C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe

Note: Before starting the installation, please white list the below directories for the above three executables:

          C:\Program Files\ICSFAgentService    (and subdirectories) 
          C:\Program Files\PMService     (and subdirectories) 
          C:\Program Files\THApplications    (and subdirectories) 
          C:\ProgramData\ICSFAgent     (and subdirectories) 
          C:\ProgramData\ICSFPackageManager   (and subdirectories)

C:\ProgramData\PMService\ (and subdirectories)

In some cases, EDR/AV software does not allow directory-based whitelisting. In such a case, the below files should be permitted:

Process Name
Full Path

Sysmon Executable

C:\Windows\cyrthwinsys.exe

Sysmon Executable

C:\Windows<When-Other-Name-Used>.exe

ICSFAgentService.exe

C:\Program Files\ICSFAgentService\ICSFAgentService.exe

PMService.exe

C:\Program Files\PMService\PMService.exe

EndPointDataCollector.exe

C:\Program Files\ICSFAgentService\files\collector\EndPointDataCollector.exe`

Agent Installer Installed By PMService

C:\Program Files\PMService\packages\windows agent\latest\files\ICSFAgentSetup.exe

Permit: C:\Program Files\PMService\packages\windows agent\latest\files\

PM Installer Installed By Agent

C:\ProgramData\PMService\Temp\PMInstaller*.exe

Permit: C:\ProgramData\PMService\Temp\

Agent Installer Installed By PMService

C:\Program Files\PMService\files\windows agent\WindowsAgent.exe

PM Uninstaller

C:\ProgramData\ICSFPackageManager\PMUninstaller.exe

ICSF Uninstaller

C:\ProgramData\ICSFAgent\ICSFAgentUninstaller.exe

Autorunsc Tool

C:\Program Files\ICSFAgentService\files\ps\sysinternals\autorunsc64.exe

Sigcheck Tool

C:\Program Files\ICSFAgentService\files\ps\sysinternals\sigcheck64_v2.90.exe

Web Shell Analyzer

C:\Program Files\ICSFAgentService\files\ps\webshell\wsa.exe

Sysmon Executable

C:\Program Files\THApplications\cyrthwinsys.exe

Sysmon Executable

C:\Program Files\THApplications\ .exe

Checking the Agent Status

  • Using Services:

    • Execute this command in the shell and check if ICSFAgent and PMService is running:

      • services. msc

  • Using CyberCyte Portal:

    • Go to the "Asset Management" -> "Endpoint Management" on the portal. All of the agents will be listed under this page.

Uninstalling/Disabling the Agent

  • IMPORTANT: The agent and package manager always checks each other and if one of the service is down or deleted, other service automaticly restores the other service. To delete them completely, you need to delete both of them one after the other.

  • Using Command Line:

    • Execute these commands in the command line:

      • ICSFAgent:

        • For Executable: "C:\ProgramData\ICSFAgent\ICSFAgentUninstaller.exe" --uninstall --q

        • For MSI: msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn UNINSTALLOPTION=uninstallAll /l*v "C:\ProgramData\PMService\uninstall_log.txt"

      • PMService:

        • For Executable: "C:\ProgramData\ICSFPackageManager\PMUninstaller.exe" --uninstall --silent or c:\ProgramData\ICSFPackageManager\PMUninstaller.exe --uninstallallwithsysmon --silent

        • For MSI: msiexec /x "C:\ProgramData\PMService\PMUninstaller.msi" /qn UNINSTALLOPTION=uninstallAll /l*v "C:\ProgramData\PMService\uninstall_log.txt"

  • Using Control Panel:

    • Go to the Control Panel and click uninstall these two apps; "ICSFAgent" and "PMService"

  • Disabling the Agent:

    • Go to the "Asset Management" -> "Endpoint Management" on the portal. Right-click on the machine and disable the agent. This action only disables agent data collection, the agent will update itself but not collect any data.

PreviousAgent InstallationsNextLinux Installation

Last updated

Was this helpful?