Understanding the Windows Dissolvable Agent

Document created by Martin Walker Employee on Jan 18, 2017Last modified by Robert Dell'Immagine on Jan 18, 2017
Version 4Show Document
  • View in full screen mode

The Windows Dissolvable Agent is a very small executable that is pushed to a Windows system during a scan and automatically removed when the last scan of the asset is complete. The DA file size is about 200K and the time to upload and launch it has a negligible impact on the overall scan duration. The DA performs a limited set of checks (e.g. share enumeration and some features in PC) that would otherwise require the remote registry service enabled, which is not recommended for security reasons.

 

Today, there are several benefits of Dissolvable Agent usage:

  • Eliminates the dependency on the remote registry service.
  • Enables the scan to extract more data from the registry.
  • Enables us to perform checks that cannot be performed remotely (i.e., access to password hashes for dictionary checks and to Windows Firewall Audit settings on Windows 2008/7 and later versions).
  • Enables us to perform File Integrity Monitoring (FIM) checks on files larger than 250 KB on windows systems (i.e., Hashes are created locally on scanned system).
  • Enables PC to perform share analysis checks including the recently added custom control support for specific user/group share analysis.

 

The agent is only deployed if the customer has enable the DA (Scans->Setup->Dissolvable Agent), and the scanner gets into a situation where a QID or DPID cannot be detected without the agent, but might be detectable with the agent. Having admin credentials but finding remote registry disabled is one such situation (for VM and PC). In PC there are a few more cases, involving e.g. password auditing and file integrity checking.

 

How It Works

The agent runs on all 32- and 64-bit versions of Windows starting with Windows 2000 including support for Intel, AMD and Itanium CPU. We do not support Windows on ARM CPU (Surface tablet).

 

MLDA needs to be installed as a Windows service with LOCAL_SYSTEM privileges in order to do its work. Microsoft has designed a special process for doing this, which is used by software which performs remote system-level installation. It involves the ADMIN$ share and the MS-SCMR API. This requires that we upload the binary using an SMB connection to ADMIN$ to one of the %window\system32 or syswow64 directories. The location of this directory depends on 32-bit vs. 64-bit operating systems.

 

The agent is installed in two different locations depending on the platform (and to some degree a CPU type):

  • 32-bit Windows: <Windows installation directory>\system32\Qualys\qdaw3v01.exe (32-bit binary)
  • 64-bit Windows: <Windows installation directory>\SysWOW64\Qualys\qdaw3v01.exe (64-bit binary)
  • 64-bit Windows (Itanium CPU only): <Windows installation directory>\system32\Qualys\qdaw3v01.exe (32-bit binary)

 

We then remotely access the SVCCTL API to create a new service from that binary, and start the service. The service starts up and listens on a named SMB pipe and exposes its own RPC API on it. We then remotely connect to that named pipe so we can access our API.

 

The dissolvable agent runs as a Windows Service while parts of the scan is running. During that time it shows up in the Windows Services control panel. The name of the service is "Qualys Helper Service" and the description is "Provides support for Qualys computer security analysis."

 

MLDA is dynamically generated and uploaded during every authenticated scan that requires its use. The binary is securely and uniquely created for each customer installation from a base file included with the scanner software release. This happens during the scan in order to create a cryptographically isolated security channel with the scan appliance. Because it is dynamically generated it cannot be signed and may be difficult to white list.

 

The agent supports up to 10 simultaneous concurrent scans of the same target from the same scan appliance. At the end of the last concurrent scan that uses the agent the service is unregistered and the directory and the file are removed.

 

A verification of whether the agent has been successfully dissolved should include:

 

  1. Checking if the agent service is no longer registered
    - visually in the Services management snap-in (under Programs > Administrative Tools > Services)
    or
    - using a Windows Registry editor and checking the presence of the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Qualyls Helper Service
  2. Verify that the directory and the file described in the point 2 above are not present

 

In order to use the DA:

  1. Ensure UAC is disabled. (might not need to be disabled, but a good place to check)
  2. Ensure the scanning account has permissions to the %windir%\SysWOW64\. (we need write and execute permissions).
  3. Ensure any host based ids/ips is not blocking this process. (a good idea, but client specific)
4 people found this helpful

Attachments

    Outcomes