When creating a new endpoint security agent setting, under the general settings tab -> administrator there are 2 checkboxes: collect accesses]d IP/URL and collect CPU and memory.
Checking those 2 checkboxes will enable the EPS advanced data gathering capabilities.
When CPU and memory is enabled, EPS will gather average CPU and memory consumption per each application running.
When IP/URL is enabled, EPS will track all in/out network traffic per each running application. EPS will calculate bandwidth usage as well as audit all IP/URLs the process connects to/connected from. Note that not all network traffic will have a URL associated with it – in such case only IP will be gathered. For efficiency reasons, EPS will aggregate data specifically the IP/URL information. EPS will gather all CPU, memory and IP/URL readings on the client. The gathered and aggregated information is sent to the core with every inventory sync. This information is part of each device inventory and as such can be accessed from the device inventory view or the query mechanism on the core. However, the best way to view this information is from the application information view.
Application Information View
To open this view right click on a device (in the console) and choose the “application information view”.
The application file reputation shows all application that was discovered on a chosen device. The following information is available per each application:
- File name
- Discovered date – when was this file first discovered (reported by inventory scan)
- Executed date – when was the file last executed (reported by inventory scan)
- Reputation – if the file reputation was overridden by the user this will be the override value otherwise, this is the same as LANDESK reputation.
- LANDESK Reputation - file reputation as decided by Ivanti cloud reputation database
- Is the file digitally signed and by which vendor.
- Inventory: how many devices have the same file
- Trust count: how may application file lists have this file
- File meta data: version, company (vendor), product name, path (based on inventory)
- Received/Sent bytes: the sum of bytes received/sent by this file. This is a good indicator if the file does network activity which may be suspicious
- Double clicking on each line in this view will open a new window which will provide information about all the URL/IP this application connected to.
- Average CPU/memory consumed by the file
Using the same view admins can take the following actions:
- Query VirtusTotal for the status of a specific file
- Query Google, IOC bucket and the Ivanti’s community on the validity of a specific file.
- Run device diagnostics reports
- Look at inventory details for the device
- Manage the patch level of the device (and all applications installed on this device)
- Open a remote control session to the device for further investigation
- Run AV scan
- Shutdown or reboot the device
The application information view does not require the EPS agent to be deployed, however having EPS deployed will enhance the value of this view as more information will be presented.
The application information report shows a list of all applications discovered by inventory scan (independent of EPS). It is important to ensure that inventory scan sends the hash value of each scanned file to the core (this can be enabled under the Configure menu -> Services option -> Inventory tab -> advanced settings button -> Send All File Hashes).
The core will calculate the file reputation of each file by default however admins need to download the file reputations content. This is done under “patch and compliance” -> download updates -> in the tree, under windows-security-check the LANDESK file reputation updates.