Important Service Note related to RTS
With the release of the Real-Time Security features in Infocyte the historically whitelisted file names have changed. These can be reviewed in the a related article located here
What is Infocyte's Real-Time Security?
RTS (Real-Time Security) is Real-Time Monitoring and Detection of threats in an environment. Infocyte combines Live Forensics with Continuous Host Monitoring into a single cloud-based platform which enables quick identification, investigation, and response to advance attacks regardless of the locality (meaning, including remote and/or distributed networks).
The combination of Infocyte’s ASSESS, MONITOR and RESPOND ensures quick identification, response and resolution of APTs (Advanced Persistent Threats), ransomware and other malware (including fileless).
Enabling Real-Time Security
All of Infocyte's customers have the ability to enable Real-Time Security on one or all of their licensed assets. All assets that are to be monitored with Real-Time Security must reside in a "Monitored" Target Group in Infocyte. This means that at time enablement, some assets may need to be relocated to other Target Groups if all assets in a Target Group are not to be monitored with Real-Time Security.
Due to the enhanced capabilities of RTS, and more efficient use of the asset's resources, there is no longer a reason to schedule scans on a recurring basis--however, that functionality remains as well.
To enable Real-Time Security, navigate to the Target Group which contains the Assets to be monitored. Once there, simply click on the button labeled "Not Monitored." Doing so will install an agent on that machine. (See FAQ regarding Permanent and Temporary agents).
Select any extensions you would like to have running on the asset, and note the specified time for the Deep Forensic Scans independent of the Real-Time Security Monitoring before clicking on the Enable Monitoring.
Note: The setting for the differential FSA can be modified to suit your needs under the Account Settings in the Admin Panel.
To confirm that Real-Time Security is enabled, the "Not Monitored" button will change to "Monitored" and turn blue. This is also the button used should you want to change the settings back to an unmonitored state. You will also notice that the Agent Icon changed from Grey to Blue next to the individual assets.
|Unmonitored Agent||Monitored Agent|
Frequently Asked Questions
Agent Performance and Overhead
How will RTS impact the overall performance and usage of the agent?
- Infocyte focuses heavily on ensuring the agent does not impact the operational functionality of the host it is running on. The agent runs at a lower priority so the agent does not starve the host. Since we are monitoring the host with RTS, there will be slightly more space used by the Agent from a storage perspective; however, the footprint is minimal.
What impact will it have on processor/memory/network utilization?
- Overall performance characteristics of RTS are extremely low. Sub 3% CPU Utilization on average, 10MB of memory (and below), 10-100 Bytes/Sec of network usage, 5-25kb/sec of Disk I/O.
Monitoring and Scheduling
Will I be able to monitor and schedule point-in-time forensic scans?
- Assets can be in monitored and scheduled target groups. This allows you to establish your security stance based on your needs. If assets must be monitored, place them in a monitored group and if they need to have less focus, place them in a group to be scanned on a schedule.
Can an asset be monitored and scheduled?
- You are allowed to have an asset in both a monitored and a scheduled target group; however, an asset can be in ONE AND ONLY ONE monitored group.
Will monitored hosts still have forensic scans?
- Monitored hosts have the benefit of being monitored AND ALSO have detailed differential scans conducted on a frequent basis. If a host is assigned to a monitored target group there is really no need to also scan the host, it will happen regardless as this is part of what is built into a monitored target group.
Protection and Prevention
Does Infocyte prevent or protect from attacks?
- While Infocyte does not directly block or quarantine malware, the platform does provide a very fast infection-to-detection-to-respond and kill cycle. This means that from the time of initial detection, to when you are able to respond using Infocyte - Infocyte would aid in preventing the spread of a malicious campaign being executed against your environment.
Permanent and Temporary Agents
Will I be required to install agents when monitored is enabled?
- No, once you enable a target group to be Monitored, Infocyte will handle the migration from a temporary agent (or agentless) to agent for you. It is important to note that once a target group is marked to be Monitored it will have an agent permanently installed - but this is automatic.
Will I still have an agentless option if I just want to use scanning?
- Yes, when you schedule a scan you will have the option to set the agent deployment method to be temporary (dissolvable agent) or installed. The default option will be to temporarily install the agent so that it is dissolved if / when the host is rebooted.
Antivirus and whitelisting considerations for RTS Capable instances
With the release of the Real-Time Security features in Infocyte the historically whitelisted file names have changed. These can be located in the a related article here