Team: Huntress EDR
Product: Surveys
Environment: Windows, MacOS
Summary: How Huntress agent surveys work
Huntress Agent Surveys are used to find malicious footholds that Antivirus products miss.
Data that Surveys collect
- file-path
- file meta-data (size, timestamp, hashes)
- the user account the autorun starts under
- how the autorun starts (registry value, task, service, etc.)
- auto-starting files it has not seen before
The Huntress Agent does not scan all directories, make changes, or block any processes.
A change in autoruns on a host will trigger the agent to send another survey to Huntress. After remediation of an Incident, it will take up to 30 minutes for a new survey to be sent back and processed.
Once the Huntress Agent is installed on a host, the Huntress Agent will attempt to run surveys roughly every 15-30 minutes Some variability in time may occur depending on other ongoing activity in the portal which can result in a longer delay before the portal reflects a completed survey. These surveys are regularly done to determine whether there was a change in a startup location.
The Huntress Agent only looks at applications that are configured to auto-start. The Agent will open the auto-start application in read-only mode in order to hash the file. The survey data is only sent to the cloud for analysis when a change is detected from the previous survey. Most agents only send a few surveys a day. The exception is when malware on a host is constantly changing or software updates occur. The survey is sent to us in the form of a JSON file and is sent over HTTPS to our AWS instance.