Installing agents on workstations

As soon as you have configured your agent groups, you must install agents on the workstations that you want to protect.

An SES Evolution agent can be installed on all types of hosts with compatible operating systems: servers or workstations, including domain controllers or machines that host one or several SES Evolution components (such as agent handlers, backends, etc.)

This installation is a two-step process. First, generate an installer that contains the whole configuration dedicated to the agent group. Next, deploy the agent on each workstation you want to assign to this group. Once it is installed, the agent will retrieve a unique identity the first time it connects to the agent handler. It will then appear in the panel of the corresponding agent group in the administration console. The whole configuration of the agent group will be applied to it, especially security policies.

If you have installed SES Evolution on a master, you also need to change the ID of the agents on which you are deploying it.

NOTE
The folder directed by %TEMP% and %TMP% must exist and be accessible in write mode during the agent installation phase and during the agent update.

Regardless of the agent deployment method chosen, once installation is complete, ensure that the agents connect at least once to an agent handler.
An agent that has never logged on to an agent handler performs its workstation protection functions, but the following features are not available:

  • log generation. You will not be able to monitor its activity or export unsynchronized logs from the Help and Support > Assistance menu of the agent interface.

  • challenge request. You will not be able to perform a challenge if there is a problem. For further information on challenges, refer to the section Resolving issues with challenges.

To install and use Stormshield Endpoint Security Evolution version 2.7.2 on Microsoft Windows, agents must meet at least the following requirements:

 

Operating systems

Refer to the Product life cycle guide to find out more on compatibility with operating system versions.
Processors for physical machines

64-bit processors with minimum 2 GHz Intel Pentium 4 or equivalent.

Itanium processors are not supported.
Processors for virtual machines

At least one virtual socket and one 1 GHz core per socket. Stormshield recommends one virtual socket and two 2 GHz cores per socket.
Physical memory At least 1 GB. Or more if the operating system requires it. Stormshield recommends 2 GB.
Disk space
  • At least 100 MB for installation,
  • At least 200 MB for data storage.

These are the disk space requirements for the NTFS file system. More space will be needed for updates and logs.
Network configuration
  • Outgoing communication:
  • Agent with version 2.7.1 or higher - port HTTPS 443
  • Agent with version lower than 2.7.1 - port TCP 17000
Network bandwidth At least 12 Kbit/s. Lower bandwidth may prevent the agent and agent handler from exchanging data.
Software Framework .NET 4.6.2 or higher.
Display At least 1024X768.

Enabling Windows restore points

The SES Evolution agent installer creates a Windows restore point just before copying files on the disk. So if there are any compatibility issues with another program, this will make it possible to revert to the state of the system as it was before SES Evolution as installed. A restore point will also be created when the agent is updated.

In order for the restore point to be created, the feature must be enabled in the System > System protection panel in Windows. For further information on restoration, refer to Windows documentation.

Disabling safe mode for standard users

Safe mode can be used to troubleshoot problems that prevent a workstation from being used when started normally. By default, the Windows configuration allows all users to start in this mode.

However, in safe mode, the SES Evolution agent self-protection is disabled. You must therefore allow only administrators to use this mode.

To disable safe mode for non-administrator users, set the SafeModeBlockNonAdmins value of the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System key to "1" in the Windows registry.

The Agent groups - Modify privilege is required to generate an installer for agents.

  1. Select the Environment > Agents menu.
  2. Ensure that you have configured the agent group with your preferences and deployed the environment. For further information, refer to the section Creating agent groups.
  3. From the panel on the left, select the agent groups that you want to apply to the workstations.
  4. In the Agents tab, click on Installer > Generate xx-bit installer.
  5. Save the installation file AgentSetup_xxx.exe at the location of your choice.

Once the installer has been generated, you can deploy this file to the workstations via GPO. The GPO-based procedure described below uses the PowerShell script SesAgentDeploymentScript.ps1 provided by Stormshield, and launches a default installation in silent mode.

  1. In your MyStormshield client area, select Downloads > Stormshield Endpoint Security > Evolution > Resources and click on the SES Agent deployment script link. The script requires PowerShell in version 5 and higher.
  2. On the domain controller, open the Group Policy Management console (gpmc.msc).
  3. Right-click on the organizational unit in which you want to deploy the SES Evolution agent, then select Create a GPO in this domain, and link it here.
  4. In the New GPO window, enter a name for the GPO, e.g., SES EVOLUTION Deployment.
  5. Right-click on the new GPO, then select Edit.
    The Group Policy Management editor then opens.
  6. Select Computer configuration > Policies > Windows settings > Scripts (Startup/Shutdown), and double-click on Startup.
  7. In the Startup properties window, click on the PowerShell scripts tab, then on Show files and paste the following files:
    • The AgentSetup_x64.exe files,
    • The SesAgentDeploymentScript.ps1 script.
  8. Click on Add, then on Browse
  9. Select the script, click on Open, then on OK.
  10. In the Startup properties window, click on Apply, then OK.
  11. In the Group Policy Management console, select the GPO that was just created.
  12. In the Scope tab, check the following items:
    • The organizational unit in the Links section,
    • The target user groups listed in the Security filtering security.
  13. Right-click on the OU, then select Group Policy Update.
    The SES Evolution agent will automatically install in silent mode the next time the workstations start.
    You can refer to the logs regarding the installation via GPO in C:\Windows\Temp\InstallSESLogGPO.

  14. As soon as the agent is installed, the icon appears in the Windows status bar, indicating that the installation is not complete.

  15. Restart the workstation. The icon indicates that the agent is now fully functional.

Once the installer has been generated, you can deploy it on the workstations via Microsoft Endpoint Configuration Manager, which replaces SCCM.

NOTE
To deploy the agent via MECM, SES Evolution must be in at least version 2.3 and built-in security policies must be in at least version 2210a.
Go to your MyStormshield client area to download the most recent versions of SES Evolution and policies. You can also download the latest policies from the update server. For more information, see Downloading Stormshield updates.

In your MECM environment, we recommend that you:

  • Have at least one shared folder that can be used by hosts in the pool connected to MECM,

  • Split up the list of hosts in the pool into Collections. You can divide SES Evolution agents into agent groups, for example.

The following procedure was tested on version 2207 of MECM.

To deploy the agent via MECM, follow the four steps below:

1 Creating an installation package

  1. Place the installation files AgentSetup_x64.exe in the shared folder usable by machines in the pool connected to MECM.

  2. Open the Configuration Manager console.

  3. In Software library > Overview > Application management, click on Packages.

  4. Create a package and a program. Name the package, e.g., InstallSES Evolution agent.

  5. Select the standard program type.

  6. Name the program, e.g., SES Evolutionagent on Windows x64.

  7. Enter command line AgentSetup_x64.exe /s. Other options are available, see the list of options below the table.

  8. Go to the shared folder containing the installation file, and select it as the start folder.

  9. Select Run with administrative rights as the run mode.

  10. In Platform requirements, select the operating system on which the agent will be deployed.
2 Creating programs to install via the package

In the package created, create as many programs as necessary, for each agent group for example. To create a new program:

  1. Right-click on the package and select Create program.

  2. Select the parameter as indicated in step 1.
3 Deploying programs on workstations

  1. Right-click on each program created in the package, and select Deploy.

  2. Select the Collection in which you intend to deploy the agent.

  3. Specify a deployment Scheduling.

  4. In Notification settings, select Allow users to run the program independently of assignments.

  5. In Deployment options, select Run program from distribution point.
4 Monitoring and finalizing the deployment

  1. In Monitoring > Overview, click on Deployments.

  2. Select an ongoing deployment to view its progress.

  3. You can select Run summarization to force the workstations to synchronize with MECM.

  4. As soon as the agent is installed on the workstations, the icon appears in the Windows status bar, indicating that the installation is not complete.

  5. Restart the workstations. The icon indicates that the agent is now fully functional.

 

You can also add the following options to the AgentSetup_x64.exe command:

/silent or /s To make the installation transparent for the user of the workstation
/installdir To copy the agent’s installation files (binary and resource files) into a folder other than %SYSTEMDRIVE%\Program Files. This path must be different from the one for the agent’s data files.
/datadir To copy the agent’s data files (logs, policies, scripts, etc.) into a folder other than %SYSTEMDRIVE%\ProgramData. This path must be different from the one for the agent’s installation files.
/log <path> To specify the path of the agent’s installation log file.
/newagentid

To delete data regarding the agent’s communication with the agent handler: unique ID, certificates used internally, as well as the ID and private data used in challenges. The agent retrieves new data the next time it connects to the agent handler.
It would be helpful to assign new communication data if the agent is on a duplicated virtual machine, or if you are installing the agent on a workstation created from a master.

  1. Install an SES Evolution agent on a master by following the procedure for the installation of a standard agent.

  2. On the master, delete the agent’s ID by following one of the methods below. Agent handlers must not be contactable by the agent during this operation, otherwise the agent will immediately obtain new communication data.

    • Delete the registry value of the agent’s ID (value: AgentGuid) located in: HKEY_LOCAL_MACHINE\SOFTWARE\Stormshield\SES Evolution. A new ID will be generated the next time the agent connects to the agent handler.
      - or -
    • Run the agent installer AgentSetup_x64.exe or the agent component Agent\bin\Gui\EsSetup.exe in command mode with the /newagentid option. This command assigns a new ID to the agent without the need to reinstall it.

    After deploying the master to a workstation, ensure that the SES Evolution agent can contact an agent handler so that a new ID can be assigned to it.

You can install the SES Evolution agent on Windows Server Core 2012 R2, 2016, 2019 and 2022 operating systems.

These operating systems have a reduced graphical interface. The agent's interface does not start automatically when a user session is opened (agent icon icon in the task bar on a 'standard' operating system). To display the agent’s GUI:

Likewise, if requests for user confirmation are configured in a security rule, the agent will not open any window, automatically assuming that the answer to the confirmation is "no". There is no way for the user to reply with a "yes".