Because all cloud agents report the same IP, how would i purge a single host? I have a development machine that is no longer in use but it used the cloud agent. if I select the asset and purge it will purge all data with that same IP address. Thanks
Today, there are options in the CAP module for "deactivate agent" and "uninstall agent". The warning for the uninstall option contains the following language "This step will remove the agent and revoke license(s) for all applications.Please note that any VM or PC data for this agent will not be removed. You will need to also purge that asset from the respective module to clear the related data."
Uninstall removes the agent from the CAP console, regardless of whether the agent is actually communicating with the platform at the time. Deactivate leaves the agent in the console for possible future re-activation. Neither actions purge the data in VM as per above warning note.
In VM Asset Search, both inactive and uninstalled agent assets are accepted for purging based on IP with the usual warnings and no errors or any agent specific language. The purge is effective in both cases, assets and data will be removed.
In VM Asset Search, active agents are accepted for purging with the usual warnings and no errors or any agent specific language, however the purge has no effect.
Shortly this behavior will change slightly (Monday 3/21 for US POD1). Following our next update when you uninstall an agent from the CAP module (active or inactive), we will automatically purge the VM data for that agent asset.
When you deactivate an agent the user will be presented with the option of deactivating VM or PC or Both. Neither of these actions will purge QWEB data but only make sure we do not process future VM or PC data or both (depending on selection) for the selected agents.
Sorry, the best answer I have for this is to look for internal IPs from QID 12816 (Interface and IP Address List). It's not how I would *like* to do it, but it can help get around a few issues.
Another thought might be to just uninstall the agent from the host?
Thanks for the replies. Even though VM sees its local ip, you still can not use that to run reports or purge the data. You get an error saying the ip is not in your subscription. Uninstalling the CA only removes it from the CA module and does not remove and vm data it already knows of.
I checked in with Support on this, and you need to revoke the Agent from the Cloud Agent module and it will purge that host from VM. We are working to document this better.
Thanks for looking into this. This is the message I get when going to uninstall a agent. It clearly says that data will need to be purged from the VM module.
Well of course you are right. It turns out what I said will be true starting later in March on US Platform 1 when we do the next update, and then after that on US Platform 2 and EU Platform 1 when they get the same update. Sorry for the confusion.
Yep, I just went through that, definitely not working. Though losing the historical data, what would happen if you purged everything from that IP and let the other devices check back in? No historical data, but it'd be semi-up to date. These are all problems we're encountering, too. I'm hopeful that you get a better answer.
Ha, I made that mistake once :), that is how I learned of the single IP problem. I could see us doing that maybe twice a year to clean things out. We meet weekly with out remediation teams to review trends and most prevalent reports so purging that much data is not ideal for us. Crossing my fingers things improve or it is back to using just the virtual scanner for us. Our biggest pain point is the Archer GRC integration, the ip fix will address that one.
I'm working to get some more information for you on this. Regards, Robert
Martin, thanks you for this, I appreciate you taking time to write it. I look forward to that option on Pod 2
This is a great feature and I look forward having it available. When do you anticipate this will be available for Pod 2?
The beginning of April.
Retrieving data ...