Huntress Agent Surveys are used to find malicious footholds that Antivirus products miss.
Data that Surveys collect
- file meta-data (size, timestamp, hashes)
- the user account the autorun starts under
- how the autorun starts (registry value, task, service, etc.)
- auto-starting files it has not seen before
The Huntress Agent does not scan all directories, make any changes, or block any processes
A change in autoruns on a host will trigger the agent to send another survey to Huntress. Following remediation of an Incident, it may take up to 30 minutes for another survey to be received and for the Huntress dashboard to show the incident as resolved because of survey processing time.
After the Huntress Agent is installed on a host, the Huntress Agent will begin running surveys every 15 minutes. These surveys are done to determine whether there was a change in a startup location. The Huntress Agent only looks at applications that are configured to auto-start. The Agent will open the auto-start application in read-only mode in order to hash the file. The survey data is only sent to the cloud for analysis when a change is detected from the previous survey. Most agents only send a few surveys a day. The exception to this is when there is malware on a host that is constantly changing or software updates are occurring. The survey is sent to us in the form of a JSON file and is sent over HTTPS to our AWS instance.
Here is a small snip of what a survey looks like: