Lumu Agent Collector for Windows Server

Lumu Agent Collector for Windows Server

Up until now, the Lumu Agent has been an endpoint software program installed on a user's machine which enables the detection of adversarial activity; however, the compromise detection capabilities of the Lumu Agent are now available for Windows Server devices that function as domain controllers  to analyze the traffic of the devices connected to them all at once. In this document, we will learn how to install and configure the Lumu Agent for Windows Server to obtain valuable endpoint intelligence from devices in your network.

Requirements

  • A device running a Windows Server operating system. Minimum supported version Windows Server 2016.
  • Administrator permissions on the local machine.

Notes Before installing the Lumu Agent, make sure you Lumu Agent Groups in the Lumu Portal. Remember that an internet connection is required for the Lumu Agent activation.
The Lumu Agent is a lightweight software program, below are some referential information regarding the agent average consumption on Windows devices. Keep in mind that CPU, bandwidth, and RAM usage are average estimates and may vary depending on the environment where the agent is installed:

  • RAM consumption (average): 20 MB
  • CPU consumption (average): < 2%
  • BW consumption  (average): 1 Kbps
  • Online installer size: 1.1 MB
  • Agent installed size: 8 MB

Related articles:

Lumu Agent for Windows Server Installation

The installation of the Lumu Agent for Windows Server is simple and straightforward. They can be deployed easily to your entire user population through an IT assets management system, thus facilitating their installation and administration. This section covers the installation and configuration of the Lumu Agent on Windows Server devices.

Notes For getting started with agents, access Introduction to Lumu Agents.
The Lumu Agent for Windows Server provides two types of installers:

  • Online Installer : this installer downloads the latest available files and settings required for installation and keeps the agent updated. Recommended for single installations.
  • Offline installer : includes all files required for installation, no additional files are downloaded. Recommended for bulk deployments.

Notes For bulk deployments, such as when using Group Policy in a Windows Server. Download the installation file according to your IT assets management system’s needs and check out our documentation on Deploy Lumu Agent using Group Policy (GPO)
Regardless of your installer choice, there’s a series of previous steps prior to installing. These are discussed in-depth further below.

Command Quick Reference for Windows Agent Support

The Lumu Agent for Windows includes an application for support purposes. You can use this application to troubleshoot and get agent information from devices.

The table below lists the available support commands for the Lumu Agent for Windows Server. You should run the commands in the Lumu installation path (e.g. C:/Program Files (x86)/Lumu/Agent ) using Command Prompt or Windows PowerShell with admin privileges.

Command:          lumu-server-support.exe [argument]

Argument

Description

-h or --help

Print all the available commands with their description.

--show_status

Print agent’s last status information, including its status, version, and settings.

--activation_code [arg]

Reset the activation code to the provided argument [arg]. This command is intended for correcting an activation code that is invalid or to reactivate an agent that was deleted by mistake.  This will not change the activation code for an already successfully activated agent. To do so, you’ll need to delete it first from the portal and wait for the agent to disable itself or uninstall it. Command example:

lumu-server-support.exe --activation_code 5FDHjJWI

--proxy_list [arg]

Set the proxy configuration to the provided argument [arg]. The argument should be a colon-separated list of elements in the following format:
http://[<username>:<password>@]<ip address>:<port>

Command example:

lumu-server-support.exe --proxy_list http://user1:123@10.5.8.5:8080

- -check

Perform checks and print if the agent is running.

-v or --version

Show the support application version.

--ask_credentials [arg]

Use this option to allow/avoid [true/false] the user popup asking proxy credentials

ask_hostname
Use this option to enable/disable [true/false] hostname finder subsystem.
–save_ip_filter_list
Set the IP list to be excluded from dns traffic monitoring.
–show_ip_filter_list
Show the IP list excluded.
–clear_ip_filter_list
Clear the IP list excluded.

Related articles:

Lumu Agent for Windows Server Configuration

Creating Installation Groups

In order to deploy the Windows Server Collector Agent, we must create an installation group. This will allow you to easily deploy Agents remotely.

  1. On the side panel, go to Collectors , and then Agents .
  2. On the Groups panel, select Create Group .
  3. This will open a dialog box where you can input a desired Name , Label , and the number of Agents .
  4. Once the installation group is created, clicking on its name under the  Installation Groups   panel will reveal the Lumu Agent activation code for that group. This code will allow Agent activation.
  5. You can verify Agent activation under the Agents panel.

Deploying the Endpoint Agent

Once the installation group creation is completed, you can download the Agent Installer.

  1. Under the Endpoints  section, click on the dropdown box and select Windows Server .
  2. The installer comes in two different versions. An online installer, which updates through an active Internet connection, and an offline installer, best suited for bulk operations. Choose the one that suits your needs.

Setting Up Windows Server Collector Agent

In order to streamline Lumu’s Continuous Compromise Assessment process, the Windows Server Agent can also be deployed as a Collector Agent within the domain controller machine.

Notes
To see the hostname from the connected devices, you must configure the PTR record in the server.

Creating Collectors

  1. On the Agent s panel, go to the Collector  tab.
  2. Select Add Collector .
  3. This will open a dialog box where you can input a desired Name Label , and a collector Description .
  4. Once the installation group is created, clicking on its name under the Server Collectors panel will reveal the Lumu Agent activation code for that collector. This code will allow Agent activation.

Deploying the Collector Agent

  1. Under the Collectors section, click on the button Download Lumu Agent. .
  2. The installer comes in two different versions. An online  installer, which updates through an active Internet connection, and an offline installer, best suited for bulk operations. Choose the one that suits your needs.

Setting up the DNS Collector Agent

Once the Collector Agent has been activated, it can be configured to group data to analyze under a set of rules you can specify.

  1. Select the Collector you want to configure. This will open the DNS Collector Agent Details panel.
  2. Under Data Grouping Rules , select Manage Rules .
  3. Here you can find the CIDR/IP  and Label  fields. Under CIDR/IP , enter the domain controller Windows Server machine IP. On the Label  field, select the type of activity you want to analyze.
  4. Select Add Rule  to finish the process.

Setup Grouping Rules

Grouping Rules are powerful tools to organize and streamline the traffic received by your collectors by making full use of Lumu’s Labels. Consult the relevant article on our technical documentation to learn more about Grouping Rules.

Online Installation

The Online Installer downloads the latest available files and settings required for set-up during installation. It is the most basic installation, used to install an agent on a single user device, in a non-domain environment.

1.  To download the agent file for online installation on Windows, go to the Lumu Portal, navigate to the  Agents  menu, then click to download agent. Select the  Windows Server option and select the Online Installer .

2. Once downloaded, run the installation file, wait for the updated files to be downloaded, and when requested, accept the license agreement and enter the activation code from the group or collector you created previously.

3.  After installation, when you see the completion screen, click Finish .

Offline Installation

In the Lumu Portal, you can find the .msi and .exe offline installer files created by Lumu to install the agent without the need of an Internet connection. This procedure is conducted via command prompt.

The offline installer brings all files required for installation; no additional files are downloaded. It includes two components that allow you to install the Lumu Agent or the Agent  Updater  independently.

The agent component is the Lumu sensor that collects the network metadata, which is presented to your company on the Lumu Portal. The updater is the component in charge of periodically checking the server for the latest version of the agent, downloading, and installing it.



If you want to have a silent deployment of the Lumu Agent (.exe)—installation process without any dialogs or user inputs you should run the installer with the activation code of the group   and accept the license agreement.

Headless Installation

This procedure will hide the graphical user interface during the installation process.To do so, add the the lines /SP- /VERYSILENT to the .exe installation command and /quiet  to the .msi installation command as shown in the command line examples below:

  • .exe installer:
lum_server_agent_offline.exe /SP- /VERYSILENT /activationcode="[ActivationCode]" /acceptlicense="true"
  • .msi installer:
lum_server_agent_offline.msi /quiet WRAPPED_ARGUMENTS="/activationcode=""[ActivationCode]"" /acceptlicense=""true""

The following parameters can be used during the installation procedure to configure the agent according to the needs of your organization:

Parameter

Mandatory

Version added

Description

activationcode

Yes

1.0.0.0

Activation code obtained from the Lumu Portal

acceptlicense

Yes

1.0.0.0

<true/false>  value. Must be set to ‘ true ’ to guarantee that the license has been accepted by the user.

COMPONENTS

No

1.0.0.0

The offline installer allows you to install specific components and manage updates manually. You can set it to ‘ agent ’ to install only the Lumu Agent or ‘ updater ’ to install the updater by itself. By default, the offline installer installs both components.

COMPONENTS Examples:

  1. exe:
lum_server_agent_offline.exe /SP- /VERYSILENT /activationcode="[ActivationCode]" /acceptlicense="true" /COMPONENTS="agent"
  1. msi:
"C:\Windows\System32\msiexec.exe" /i lum_server_agent_offline.msi /quiet WRAPPED_ARGUMENTS="/activationcode=""[ActivationCode]"" /acceptlicense=""true"" /COMPONENTS=agent"


changeactivationcode

No

1.0.0.0

This parameter must be used to notify the agent that a new activation is required when the product has already been activated.

Changeactivationcode Examples:

  1. .exe:
lum_server_agent_offline.exe /SP- /VERYSILENT /activationcode="[ActivationCode]" /acceptlicense="true"/changeactivationcode
  1. .msi:
"C:\Windows\System32\msiexec.exe" /ilum_server_agent_offline.msi /quiet WRAPPED_ARGUMENTS="/activationcode=""[ActivationCode]"" /acceptlicense=""true"" /changeactivationcode"


askcredentials

No

1.0.0.0

This parameter can be used to allow or deny to show the popup asking for proxy credentials.

Askcredential Examples:

  1. .exe:
lum_server_agent_offline.exe /SP- /VERYSILENT /activationcode="[ActivationCode]" /acceptlicense=true /askcredentials=true
  1. .msi:
"C:\Windows\System32\msiexec.exe" /ilum_server_agent_offline.msi /quiet WRAPPED_ARGUMENTS="/activationcode=""code"" /askcredentials=""false"" /acceptlicense=""true"""

Repair, Update, or Reinstall Agent

The Lumu Agent installer for Windows Server brings the ability to repair, update, or reinstall the Windows agent.

Repair

To manually repair the Lumu Agent, simply run the installer that matches the version of the agent installed on the machine. The installer will prompt   the following screen:


The repair feature returns the agent to its default installation state. This feature should be used in cases such as when any file or registry was erased, as the repair will retrieve the missing files. The repair process keeps the current agent configuration and activation code.

Update

To update a Lumu Agent, run an installer from a more recent version of the installed agent on the machine. A screen with the new update option will display. This new feature allows you to upgrade your agent manually to a newer version.

Notes
The update will also repair any missing files or registries on the user machine.


Reinstall

In both the repair and update processes, you also have the option to reinstall a Lumu Agent.

Notes
The reinstallation process will cause the current agent configuration and information to be deleted.

To reinstall an agent, you will need to enter the same or a different activation code.


Notes
When reinstalling a Windows Lumu Agent, you may encounter two registered agents (duplicated) with different last sync times in the Lumu Portal. Consult our FAQ   for more details and help .

Uninstall Agent

In case you want to uninstall the Lumu Agent from a Windows device, go to the Control Panel > Programs and Features, choose Lumu from the list, and select Uninstall .

You can opt to uninstall the agent using Command Prompt or Windows PowerShell with admin privileges. To do so, go to the Lumu installation path (e.g. C:/Program Files (x86)/Lumu/Agent ) and run the uninstaller file unins000.exe .

Set the Agent as a DNS Server Collector or Endpoint Agent

In order to maximize flexibility with the least amount of downtime possible, the Windows Server Agent works under a hybrid paradigm that allows it to shift between Endpoint Agent configuration (meaning it just solves its own traffic), or Collector Agent configuration (meaning it solves both its own traffic and the traffic for all machines connected to the server domain).

  • While under the Endpoint configuration, click the Promote to Collector  button on the Agents -> Endpoints panel in order to upgrade an Endpoint  Windows Server agent to a Collector agent.


Notes
You should only promote an Endpoint Agent to a Collector Agent if the machine it’s installed on is configured as a DNS server as well.
  • If what you want is to switch a Collector agent back to an Endpoint agent, then, under the Collectors details panel, click on the Downgrade button. This will revert this Collector agent back to an Endpoint agent.

Notes Try to avoid switching back and forth too often. This can introduce instability when connections are severed and reestablished very frequently.
        • Related Articles

        • Configure DNS in Windows Server

          Setting up DNS forwarding on a local server is recommended for enterprises where all the traffic is directed to the internet through a server. For more context on Lumu Deployment scenarios, consult Lumu Deployment and Integration Guide. ...
        • Introduction to Lumu Agents

          As we show in our Deployment and Integration overview, organizations can enjoy full compromise visibility with Lumu, regardless of users connecting via VPN or straight to cloud-based applications. A Lumu Agent is an endpoint software program provided ...
        • Lumu Agent for Windows

          The installation of the Lumu Agent for Windows is simple and straightforward. They could be deployed easily to your entire user population through an IT assets management system, thus facilitating their installation and administration. This document ...
        • Deploy Lumu Agent using Group Policy (GPO)

          The installation of the Lumu Agent for Windows is simple and straightforward. This article describes how to deploy the Windows Agent quickly to your entire user population through Group Policy Objects (GPO) in a Windows Server. For getting started ...
        • Custom Collector API Specifications

          The Custom Collector API is a seamless way to integrate your network infrastructure with Lumu while layering Continuous Compromise Assessment. It allows sending network metadata captured from third-party platforms/services/appliances to Lumu, and it ...