Team: Huntress EDR
Environment: Windows, MacOS
Summary: How Huntress agent surveys work
Huntress Agent Surveys are used to find malicious footholds that Antivirus products miss.
Data that Surveys collect
- file meta-data (size, timestamp, hashes)
- the user account the autorun starts under
- how the autorun starts (registry value, task, service, etc.)
- auto-starting files it has not seen before
The Huntress Agent does not scan all directories, make changes, or block any processes.
A change in autoruns on a host will trigger the agent to send another survey to Huntress. After remediation of an Incident, it will take up to 30 minutes for a new survey to be sent back and processed.
Once the Huntress Agent is installed on a host, the Huntress Agent will run surveys every 15 minutes. These surveys are done to determine whether there was a change in a startup location. The Huntress Agent only looks at applications that are configured to auto-start. The Agent will open the auto-start application in read-only mode in order to hash the file. The survey data is only sent to the cloud for analysis when a change is detected from the previous survey. Most agents only send a few surveys a day. The exception is when malware on a host is constantly changing or software updates occur. The survey is sent to us in the form of a JSON file and is sent over HTTPS to our AWS instance.