You can use a master or golden image to deploy the FireEye Endpoint Security software to
multiple physical or virtual host endpoints in your enterprise. When you install the
FireEye Endpoint Security software on an endpoint, the agent creates a private key, using
information from the endpoint, to encrypt and decrypt all agent data. After installation,
agent services will not start unless the private key is decrypted and matches the
information on the endpoint where the agent was installed.
A unique agent ID must also be created for each endpoint on which the golden or master
image is deployed. Otherwise, all of the endpoints deployed using that image will
provision with the Endpoint Security Server using the same agent ID, causing a cloned
agent problem in your Endpoint Security environment.
IMPORTANT: For the Endpoint Security Server and Endpoint Security Agent
software to communicate properly, each host endpoint must be assigned a
unique agent ID. If the Endpoint Security Server reports the presence of cloned
agents in your Endpoint Security environment, read "Resolving Cloned
Agents" in the Endpoint Security Server User Guide.
This section describes how to use a golden or master image to install the Windows or
Linux agent software to multiple physical or virtual host endpoints and ensure a private
key and a unique agent ID are created for each agent.
NOTE: Windows agent support for master or golden images is provided in
FireEye Endpoint Security Agent version 20 or later versions.
Linux agent support for master or golden images is provided in FireEye
Endpoint Security Agent version 25 or later.
Installing Windows Agents Using a Golden or Master Image
Follow the steps in this section on the windows system that you are preparing to use as a
golden image that can deploy the FireEye Endpoint Security Agent software to multiple
physical or virtual host endpoints.
These instructions are only required if you are using Sysprep, or something similar, for
your golden image. If you are not using Sysprep, then you can just use INSTALLSERVICE=2
to install the agent.
To use a master or golden image to install the agent software on your Windows
endpoint:
Extract the msi file and agent_config.json file to a directory.
In the directory where you extracted the msi file and the agent_config.json file, create
a file called setupSchTasks.cmd and add the following text to that file:
schtasks /create /ru SYSTEM /sc ONSTART /TN "FireEye\Configure xAgent"
/tr "cmd.exe /c sc config xagt start= demand"
schtasks /run /TN "FireEye\Configure xAgent"
schtasks /delete /TN "FireEye\Configure xAgent" /f
echo "Delete the agent cryptographic keys"
rd /s /q C:\ProgramData\FireEye\xagt\xacs
del C:\ProgramData\FireEye\xagt\main.db
copy agent_config.json c:\ProgramData\FireEye\
copy ProvisionxAgt.cmd C:\ProgramData\FireEye\
schtasks /create /ru SYSTEM /sc ONSTART /TN "FireEye\Provision xAgent"
/tr "c:\ProgramData\FireEye\ProvisionxAgt.cmd"
In the same directory, create a file called ProvisionxAgt.cmd, add the following text
to the file, and save it with ASCII encoding:
@echo off
IF ".%PROCESSOR_ARCHITECTURE%"==".AMD64" (
"C:\Program Files (x86)\FireEye\xagt\xagt.exe" -i
"C:\ProgramData\FireEye\agent_config.json"
) ELSE (
"C:\Program Files\FireEye\xagt\xagt.exe" -i
"C:\ProgramData\FireEye\agent_config.json"
)
sc config xagt start=auto
sc start xagt
schtasks /delete /TN "FireEye\Provision xAgent" /f
del "C:\ProgramData\FireEye\agent_config.json"
del "C:\ProgramData\FireEye\ProvisionxAgt.cmd"
At the command prompt, run the setupSchTasks.cmd file as an administrator.
You can now use this system as a golden image. When the system boots for the first time,
the scheduled task ProvisionxAgt.cmd runs. This task starts the provisioning process and
will provision all systems deployed for the golden image.
If you reboot your golden image to update it, then you must uninstall the agent and use the
above steps to reinstall it.
Richgang18
commented
2 years ago
Installing Agents Using a Golden or Master Image
You can use a master or golden image to deploy the FireEye Endpoint Security software to multiple physical or virtual host endpoints in your enterprise. When you install the FireEye Endpoint Security software on an endpoint, the agent creates a private key, using information from the endpoint, to encrypt and decrypt all agent data. After installation, agent services will not start unless the private key is decrypted and matches the information on the endpoint where the agent was installed. A unique agent ID must also be created for each endpoint on which the golden or master image is deployed. Otherwise, all of the endpoints deployed using that image will provision with the Endpoint Security Server using the same agent ID, causing a cloned agent problem in your Endpoint Security environment.
Endpoint Security Agent Deployment Guide CHAPTER 7: Installing the Agent Installation Package 70 © 2020 FireEye Release 32.30.0 Installing Agents Using a Golden or Master Image
IMPORTANT: For the Endpoint Security Server and Endpoint Security Agent software to communicate properly, each host endpoint must be assigned a unique agent ID. If the Endpoint Security Server reports the presence of cloned agents in your Endpoint Security environment, read "Resolving Cloned Agents" in the Endpoint Security Server User Guide. This section describes how to use a golden or master image to install the Windows or Linux agent software to multiple physical or virtual host endpoints and ensure a private key and a unique agent ID are created for each agent. NOTE: Windows agent support for master or golden images is provided in FireEye Endpoint Security Agent version 20 or later versions. Linux agent support for master or golden images is provided in FireEye Endpoint Security Agent version 25 or later.
Installing Windows Agents Using a Golden or Master Image
Follow the steps in this section on the windows system that you are preparing to use as a golden image that can deploy the FireEye Endpoint Security Agent software to multiple physical or virtual host endpoints. These instructions are only required if you are using Sysprep, or something similar, for your golden image. If you are not using Sysprep, then you can just use INSTALLSERVICE=2 to install the agent.
To use a master or golden image to install the agent software on your Windows endpoint: