You're Seeing Detections Through your EDR from CYRISMA.
Gain insights on how to interpret and respond to detections in your Endpoint Detection and Response (EDR) system from CYRISMA.
Written by Liam Downward
Updated at December 26th, 2024
- User Manual
- Agents
- The Cyber Risk Assessment Process
- API Documents
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- CYRISMA Change Log
- Support Ticket SLA
- Onboarding Framework
- PSA Integrations
- Billing Questions
- Self Onboarding Guide
Table of Contents
Overview
If you're observing detections from your Endpoint Detection and Response (EDR) system related to the CYRISMA Agent, it’s important to understand how the agent operates and why these detections occur. This article outlines the modes of operation for the CYRISMA Agent, the reasons behind the detections, and how to configure your endpoint protection to allow CYRISMA to function effectively.
CYRISMA Agent Operating Modes
The CYRISMA Agent operates in two distinct modes:
1. Local Scanning
- Service Context: The agent runs as the “System” service, utilizing local machine rights to perform all scan types.
- Functionality: This mode is designed for thorough scanning of the local system without relying on network access.
2. Network Scanning
- Service Context: The agent operates under a defined “Service Account” and utilizes credentials provided at scan time, either through previously defined credentials or alternate scan credentials.
- Functionality: This mode enables the agent to scan machines visible on the network, assess open ports, and gather details about the operating system, share levels, and security software.
Interaction with Endpoint Protection Suites
Some endpoint protection solutions may flag the CYRISMA Agent or its activities as potential threats. This can lead to the agent being blocked or quarantined. Key points to consider include:
- TCP Scanning: The agent performs TCP scanning of other machines on the network, which can resemble malicious activity to some EDR systems.
- Remote Access Attempts: Depending on the port profile, the agent may attempt remote access to gather necessary details, which can trigger alerts.
Configuring Your EDR
To ensure that the CYRISMA Agent operates without interruptions, you may need to adjust your endpoint protection settings:
Allow List/Exclusions: Configure your EDR to include CYRISMA in its allow list or exclusion policies.
- This may involve adding the CYRISMA installation directory, typically
C:\CYRISMA_Agent, to the exclusion list.
Specific Executables: If your security policies do not support directory-based exclusions, consider adding the following executables to your exclusion policy to prevent detections:
| Executable Path | Purpose |
|---|---|
C:\CYRISMA_Agent\DataSpotliteAgent.exe |
Main executable running as a service |
C:\CYRISMA_Agent\App\psexec.exe |
Provides remote collection of target attributes |
C:\CYRISMA_Agent\App\atexec.exe |
Secondary method to collect remote target attributes |
C:\CYRISMA_Agent\App\cytcp.exe |
TCP Port Scanning |
C:\CYRISMA_Agent\App\fileconv.exe |
Read data from files for sensitivity scanning |
C:\CYRISMA_Agent\bin\pscopy.exe |
Agent management and upgrades |
C:\CYRISMA_Agent\App\7z.exe |
Compresses scan results |
Conclusion
The CYRISMA Agent is not designed to evade detection or replace existing endpoint security measures. If your EDR is blocking CYRISMA, it is functioning as intended, and necessary adjustments should be made to your endpoint protection settings. By properly configuring your EDR to allow CYRISMA, you can ensure smooth operation and effective scanning without false detections. If you need further assistance, please reach out to your IT support team or contact CYRISMA support.
Please also see CYRISMA CyBroker Sensor Preparation and Setup