Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Surveys
Environment: Windows, MacOS
Summary: How Huntress agent surveys work
Huntress Agent Surveys are used to find malicious footholds that Antivirus products miss.
Data that Surveys collect
- file-path
- file meta-data (size, timestamp, hashes)
- the user account the autorun starts under
- how the autorun starts (registry value, task, service, etc.)
- auto-starting files it has not seen before
The Huntress Agent does not scan all directories, make changes, or block any processes.
A change in autoruns on an endpoint will trigger the agent to send another survey to Huntress. After remediation of an Incident, it will take up to 30 minutes for a new survey to be sent back and processed.
Once the Huntress Agent is installed on an endpoint, the Huntress Agent will watch the endpoint for changes to important system files, autorun entries, and Defender policies every 10-15 minutes. If the agent detects a change, the survey will be generated and sent to the Huntress portal for processing. Some variability in time may occur depending on activity on the machine as well as other ongoing activity in the portal which can result in a longer delay before the portal reflects a completed survey. These surveys are regularly done to determine whether there was a change in a startup location.
The Huntress Agent only looks at applications that are configured to auto-start. The Agent will open the auto-start application in read-only mode in order to hash the file. The survey data is only sent to the cloud for analysis when a change is detected from the previous survey. Most agents only send a few surveys a day. The exception is when malware on an endpoint is constantly changing or software updates occur. The survey is sent to us in the form of a JSON file and is sent over HTTPS to our AWS instance.
Here is a small snip of what a survey looks like: