Huntress Agent Surveys are used to find malicious footholds that Antivirus products miss.
Data that Surveys collect
- file meta-data (size, timestamp, hashes)
- the user account the autorun starts under
- how the autorun starts (registry value, task, service, etc.)
- auto-starting files it has not seen before
The Huntress Agent does not scan all directories, make any changes, or block any processes
After the Huntress Agent is installed on a host, the Huntress Agent will begin running surveys every 15 minutes. These surveys are done to determine whether there was a change in a startup location. The Huntress Agent only looks at applications that are configured to auto-start. The Agent will open the auto-start application in read-only mode in order to hash the file. The survey data is only sent to the cloud for analysis when a change is detected from the previous survey. Most agents only send a few surveys a day. The exception to this is when there is malware on a host that is constantly changing or software updates are occurring.
Navigating to the Surveys
Surveys gathered from Agents can be viewed through the Huntress Dashboard by users with Administrative privileges.
- Login to the Huntress Web Interface.
2. From the Organization's Dashboard, click on "Agents", or "Total Agents"
3. Click on the Hostname of the agent that you want to view the surveys for
4.The Agent's home screen will show the last time the agent has been surveyed. Users with Administrator privileges can can select "Surveys" from the Admin only box to navigate to the agent's surveys
5. The Survey list starts with the most recent. Click on the Survey to see more detail.
6.You will be taken to the survey of all applications that are automatically configured to start, and the respective hash value. Ctrl+F can be used to do a keyword search