Install Agents on Endpoint Machines

The Set Administrator installs Agents on the endpoint machines.

 

There is no minimum requirement for the endpoint machines. The Agents consume, on average, less than 1% of CPU, which is between 20 to 50 MB of RAM (depending on the number of policies), and around 100 MB of disk space.

You do this in one of two ways:

Via a third-party Software Distribution system, such as Microsoft SCCM Install Agents via a Software Distribution System
Manually Install Agents Manually

EPM Agents take up around 100 MB of disk space, and use between 20 and 50 MB of RAM, depending on the number of policies. The Agents sit on both kernel and user levels of the OS, and use less than 1% of the CPU load on average. Installation and upgrades of EPM Agents do not require a reboot. Agent deployment can be seamless to the end-users, so that an icon does not appear in the system tray and the product does not appear in Add/Remove programs.

The Agent sends a one byte heartbeat to the EPM Server every 30 seconds. The average size of a new Policy file update is one KB per Policy. The average total size of a Policy file is between 0.5 and 1.5 MB.

Types of agents

There are three types of agents:

Windows regular agents

Windows regular agents are connected to the EPM Server.

Windows immediate enforcement agents

On Windows machines, immediate enforcement agents can be installed on a machine that is not connected to the EPM Server, and immediately enforce the policies installed with them on this machine.

These agents can also be installed on a machine that is connected to the EPM Server, so that the policies installed with them are enforced immediately. This differs from regular agents that do not begin enforcing policies when they are installed until they first connect to the EPM Server and begin receiving policies, which can take a few minutes. In this case, you must install the Immediate Enforcement Agent with a Set ID and Dispatcher URL, so that the Agent can connect to the EPM Server and become a regular Agent. For details, see Install Agents Manually.

 
  • To install Immediate Enforcement Agents, the Enable downloading Immediate Enforcement Agent parameter must be set to On.
  • We recommend creating a dedicated Set for Immediate Enforcement Agent Policies.
  • Agent self-defense is not available for Immediate Enforcement Agents.
  • Threat Detection is not available for Immediate Enforcement Agents.
  • Rotate local admin credentials on the endpoint is not available for Immediate Enforcement Agents.
 

The MSI package for Immediate Enforcement Agents contains the Set's policies. You must be very careful with this MSI.

macOS agents

EPM agent installation creates a new CyberArkEPM.app on macOS endpoint devices, which includes all the files that are required to run and maintain the EPM agent.

The EPM agent application is called CyberArkEPM, and you can start it in the same way as you start any other application.

Procedure

CyberArk recommends the following procedure for installing Agents in an enterprise environment:

  1. Deploy a pilot group of 25 to 50 Agents.

  2. Collect Privilege Management events.

  3. Establish Trusted Sources, such as SCCM, Updaters, Publishers, and Network shares.

  4. Create specific policies based on Active Directory security groups.

  5. Remove Local Admin rights, using Restricted Groups through the MS Group Policy.

  6. Create new policies as needed until the environment is stable.

  7. Add more Agents.

 

Each subsequent iteration of adding Agents is faster since trusted sources and elevate policies are already in effect.

Third-party security programs

Agents can conflict with third-party security programs, such as antivirus programs, installed on endpoint computers.

Windows machines

To avoid this on Windows machines, exclude the EPM Agent binary files (.exe, .dll and .sys files) from the checks performed by the third-party security programs. The EPM Agent binary files are located in the %ProgramFiles%\CyberArk\Endpoint Privilege Manager\Agent\ directory and its sub-directories, except for the drivers, which are placed in the %SystemRoot%\System32\drivers directory during installation. The EPM Agent drivers are:

  • vfdrv.sys

  • vfnet.sys

  • vfpd.sys

  • CybKernelTracker.sys

macOS machines

To avoid this on macOS machines, exclude the EPM Agent files from the checks performed by the third-party security programs. The EPM Agent files are located in the following locations:

  • /Applications/CyberArk EPM.app

  • /Library/Application Support/CyberArk

  • /Library/Keychains/CyberArkEPM.keychain

  • /Library/SystemExtensions/*/com.cyberark.CyberArkEPMEndpointSecurityExtension.systemextension

  • /Library/LaunchDaemons/com.cyberark.CyberArkEPMWebServiceSession.plist

  • /Library/LaunchAgents/com.cyberark.CyberArkEPMUIAgent.plist

  • /Library/LaunchAgents/com.cyberark.CyberArkEPM.plist

  • /Library/LaunchDaemons/com.cyberark.CyberArkEPMPrivilegedHelper.plist

  • /Library/PrivilegedHelperTools/com.cyberark.CyberArkEPMPrivilegedHelper

 

The endpoint computer will probably require a reboot after the new exclusions have been configured for the third-party security programs.

Exclude third-party security programs from EPM checks

CyberArk recommends excluding third-party security programs from the checks performed by the EPM Agents.

  1. In the EPM Management Console, go to Advanced > Agent Configuration > Data Collection > Files to be Ignored Always.

  2. Click Add to add a new directory or file.

     

    By default, the list of paths in the Files to be Ignored Always parameter includes the paths of several popular third-party antivirus programs. It is important to remove from the list those paths that do not exist on the endpoint computers so that malware and intruders cannot use these paths.

  3. Find the specific files to exclude. In Windows File Explorer, deselect File contents in the Search pane and enter the search criteria (for example, *Symantec*). Review the search results to find all .exe or .dll files.

  4. Input the location or specific files of the third-party software, and optionally the user or user group of the processes to be excluded from the checks.

     

    In the File column, wildcards can be used. For example *.dll excludes all dll files in the defined location while still monitoring other file types. Regular expressions cannot be used to exclude files.

  5. Repeat this procedure for all relevant third-party security programs, then click Save.

The Agent Configuration changes and a new policy containing the new exclusion rules is propagated to the endpoint computers.

 

For driver-level exclusions, a reboot of the endpoint computer may be required.