2. Before You Begin¶
2.1. Agent to ASGARD Communication¶
There are a few things to consider before you start with the installation. The communication between ASGARD and the ASGARD agent is unidirectional. The ASGARD agent polls ASGARD in a given time frame and ask for tasks to execute. There is no active triggering from ASGARD to the ASGARD agent – we have designed it that way, because we believe that opening a port on all connected endpoints should and can be avoided.
2.2. Performance Considerations¶
In environments with up to 500 endpoints, the default polling interval is 20 seconds. In larger environments the polling interval increases automatically up to one minute for 2.000 endpoints and 10 minutes for a configuration with 25.000 endpoints connected to a single ASGARD.
Obviously, large environments are not as responsive as small environments when it comes to opening remote shells or executing urgent response tasks. It may take up to 10 minutes for the shell to open or the result to show up. However, once open, the shell or the response tasks are very responsive – almost as if it is native on the system.
In order to adapt to specific requirements regarding responsiveness, the polling behavior can be modified. For details, refer to Performance Tuning. The hardware requirements in the next chapter assume that the default polling interval is used.
2.3. Using a Proxy between ASGARD Agent and ASGARD¶
ASGARD supports using a standard http proxy for the entire Agent to ASGARD communication. In order to use a proxy, the ASGARD agent must be repacked after installation. For details, see Creating Custom Agent Installer.
2.4. Hardware Requirements¶
ASGARDs hardware requirements depend on the number of connected endpoints and also on the intended use. For example, you should consider using bigger hard disks if you are planning to use Bifrost or ASGARD's evidence collection feature extensively.
Connected Endpoints | Minimum Hardware Requirements |
---|---|
up to 500 [1] | System memory: 4 GB, Hard disk: 500 GB, CPU Cores: 2 |
up to 10,000 [1] | System memory: 8 GB, Hard disk: 1TB, CPU Cores: 4 |
up to 25,000 [1] | System memory: 16 GB, Hard disk: 1TB SSD (min 100 MB/s), CPU Cores: 4 |
[1] | (1, 2, 3) THOR and AURORA count as individual endpoints in this calculation. AURORA is more demanding than THOR. This results in a maximum of 200/4000/10000 endpoints if THOR and AURORA are installed on each endpoint. |
2.5. Agent Requirements¶
The ASGARD Agent, which is installed on endpoints, uses up to 10MB of RAM. THOR uses up to 300 MB of RAM additionally when scanning is in progress.
The agent will use up to 50 MB of hard disk. Together with THOR and its temporary files it uses a maximum of 200 MB in total.
Please note, that some response actions, such as collecting triage packs or collecting system RAM, require additional disk space.
There are no requirements pertaining to the CPU as scans can be scheduled in a way that THOR reduces its own process priority and limits its CPU usage to a configurable percentage.
Supported operating systems are the ones supported by THOR. Not supported are the operating systems with limited or special THOR support.
2.6. Network Requirements¶
ASGARD and other systems which will have to communicate with each other, need the following ports opened within the network. For a detailed and up to date list of our update and licensing servers, please visit https://www.nextron-systems.com/hosts/.
2.6.1. From ASGARD Agent to ASGARD Server¶
Description | Ports |
---|---|
Agent / Server communication | 443/tcp |
Syslog Forwarder (optional) | 514/tcp, 514/udp |
ASGARD online check (optional) | ICMP |
The syslog port is optional, since your agents will work fine without it. Please see Syslog Forwarding for more information.
Hint
Your ASGARD Agents will check if they can reach your ASGARD via HTTPs. ICMP is not necessary, but helps during troubleshooting.
2.6.2. From Management Workstation to ASGARD Server¶
Description | Ports |
---|---|
Administrative web interface | 8443/tcp |
Command line administration | 22/tcp |
2.6.3. From ASGARD to SIEM¶
Description | Ports |
---|---|
Syslog forwarder | 514/tcp, 514/udp |
2.6.4. From ASGARD to Analysis Cockpit¶
Description | Ports |
---|---|
Asset Synchronization, Log- and Sample forwarding | 7443/tcp |
Syslog forwarder (optional) | 514/tcp, 514/udp |
2.6.5. From ASGARD and Master ASGARD to the Internet¶
The ASGARD systems are configured to retrieve updates from the following remote systems via HTTPS on port 443/tcp:
Product | Remote Systems |
---|---|
ASGARD packages | update3.nextron-systems.com |
THOR updates | update1.nextron-systems.com |
THOR updates | update2.nextron-systems.com |
All proxy systems should be configured to allow access to these URLs without TLS/SSL interception. (ASGARD uses client-side SSL certificates for authentication). It is possible to configure a proxy server, username and password during the setup process of the ASGARD platform. Only BASIC authentication is supported (no NTLM authentication support).
2.6.6. From Master ASGARD to ASGARD¶
Direction | Port |
---|---|
From MASTER ASGARD v2 to ASGARD v2 | 5443/tcp |
From MASTER ASGARD v2 to ASGARD v1 | 9443/tcp |
You cannot manage ASGARD v2 systems from a MASTER ASGARD v1.
2.6.7. From Management Workstation to MASTER ASGARD¶
Description | Port |
---|---|
Administrative web interface | 8443/tcp |
Command line administration | 22/tcp |
2.6.8. Time Synchronization¶
ASGARD tries to reach the public Debian time servers by default.
Server | Port |
---|---|
0.debian.pool.ntp.org | 123/udp |
1.debian.pool.ntp.org | 123/udp |
2.debian.pool.ntp.org | 123/udp |
The NTP server configuration can be changed.
2.6.9. DNS¶
ASGARD needs to be able to resolve internal and external IP addresses.
Warning
Please make sure that you install your ASGARD with a domain name
(see Network Configuration). If you do not set the
Domain Name and install the ASGARD package, your clients won't be able
to connect to your ASGARD.
All components you install should have a proper domain name configured to avoid issues further during the configuration.
2.7. Antivirus or EDR Exclusions¶
We recommend excluding certain folders and binaries from Antivirus scanning.
The exclusions will not only prevent Antivirus engines from removing the agents and scanner executables but also increase scan speed, since their real-time engines won't check every file that the scanner has opened for analysis. This can improve the scan speed by up to 30% and also reduces the system's CPU load.
2.7.1. General Recommendation¶
We recommend using this list - include all sub folders:
Folder Exclusions including Subfolders | |
---|---|
Windows | %SYSTEMROOT%\System32\asgard2-agent\ |
%SYSTEMROOT%\Temp\asgard2-agent\ | |
Linux | /usr/sbin/asgard2-agent-service |
/var/lib/asgard2-agent/ | |
/var/tmp/asgard2-agent/ | |
macOS | /var/lib/asgard2-agent/ |
/var/tmp/asgard2-agent/ |
Note
If you have obfuscated the agent name, replace asgard2-agent with your custom agent name.
If you have to create a more specific list that can use wildcards, use the following list (and replace [random] with the wildcard). If you have the choice, the broader approach above should be preferred.
Specific File/Process Exclusions | |
---|---|
Windows | %SYSTEMROOT%\System32\asgard2-agent\asgard2-agent.exe |
%SYSTEMROOT%\System32\asgard2-agent\asgard2-agent-service.exe | |
%SYSTEMROOT%\System32\asgard2-agent\bin\thor.exe | |
%SYSTEMROOT%\System32\asgard2-agent\bin\interrogate.exe | |
%SYSTEMROOT%\System32\asgard2-agent\bin\console.exe | |
%SYSTEMROOT%\System32\asgard2-agent\asgard2-agent_sc.exe | |
%SYSTEMROOT%\System32\asgard2-agent\asgard2-agent_sc-service.exe | |
%SYSTEMROOT%\System32\asgard2-agent\services\bin\logwatcher.exe | |
%SYSTEMROOT%\Temp\asgard2-agent\ (and all sub folders) | |
Especially | %SYSTEMROOT%\Temp\asgard2-agent\[random]\thor\thor.exe |
And/Or | %SYSTEMROOT%\Temp\asgard2-agent\[random]\thor\thor64.exe |
%SYSTEMROOT%\Temp\asgard2-agent-sc\ (and all sub folders) | |
Especially | %SYSTEMROOT%\Temp\asgard2-agent-sc\aurora\[random]\aurora\aurora-agent.exe |
And/Or | %SYSTEMROOT%\Temp\asgard2-agent-sc\aurora\[random]\aurora\aurora-agent-64.exe |
Linux | /usr/sbin/asgard2-agent-service |
/var/lib/asgard2-agent/asgard2-agent | |
/var/lib/asgard2-agent/bin/console | |
/var/lib/asgard2-agent/bin/interrogate | |
/var/lib/asgard2-agent/bin/thor | |
/var/lib/asgard2-agent/bin/update | |
/var/tmp/asgard2-agent/[random]/thor/thor-linux | |
/var/tmp/asgard2-agent/[random]/thor/thor-linux-64 | |
macOS | /var/lib/asgard2-agent/asgard2-agent-service |
/var/lib/asgard2-agent/asgard2-agent | |
/var/lib/asgard2-agent/asgard2-agent/bin/console | |
/var/lib/asgard2-agent/asgard2-agent/bin/interrogate | |
/var/lib/asgard2-agent/asgard2-agent/bin/thor | |
/var/lib/asgard2-agent/asgard2-agent/bin/update | |
/var/tmp/asgard2-agent/[random]/thor/thor-macosx |
Using the more specific list, we've experienced problems with some
AV solutions that even trigger on certain keywords in filenames. They
don't kill the excluded executable but block write access to disk if
certain keywords like bloodhound
or mimikatz
appear in filenames.
In these cases, the executable exclusions are not enough and you should
use the recommended list of two folders and all sub folders (see above).
2.7.2. McAfee EDR Exclusions¶
McAfee needs Exclusions set in multiple locations. In addition to the general recommendation, customers with McAfee EDR need to set the following exclusions.
2.7.2.1. McAfee On-Access Scan¶
McAfee On-Access Scan Exclusions | |
---|---|
Low Risk | thor.exe |
thor64.exe | |
interrogate.exe | |
generic.exe | |
asgard2-agent.exe | |
asgard2-agent-service.exe | |
aurora-agent-64.exe | |
aurora-agent.exe | |
Exclusions (include sub folders) |
%SYSTEMROOT%\System32\asgard2-agent\ |
%SYSTEMROOT%\Temp\asgard2-agent\ | |
%SYSTEMROOT%\Temp\asgard2-agent-sc\ | |
Access Protection | thor.exe |
thor64.exe | |
interrogate.exe | |
generic.exe | |
aurora-agent.exe | |
aurora-agent-64.exe | |
asgard2-agent.exe | |
asgard2-agent-service.exe | |
asgard2-agent-windows-amd64.exe | |
asgard2-agent-windows-386.exe | |
C:\Windows\Temp\asgard2-agent\*\thor\* | |
C:\Windows\Temp\asgard2-agent\*\thor\*\* | |
C:\Windows\Temp\asgard2-agent\* | |
C:\Windows\Temp\asgard2-agent-sc\aurora\*\aurora\* | |
C:\Windows\Temp\asgard2-agent-sc\aurora\*\aurora\*\* | |
C:\Windows\Temp\asgard2-agent-sc\aurora\* | |
%SYSTEMROOT%\System32\asgard2-agent\bin\* | |
%SYSTEMROOT%\System32\asgard2-agent\* |
2.7.2.2. McAfee EDR¶
McAfee EDR Exclusions | |
---|---|
Network Flow | C:\Windows\System32\asgard2-agent\asgard2-agent.exe |
C:\Windows\System32\asgard2-agent\bin\generic.exe | |
C:\Windows\System32\asgard2-agent\bin\interrogate.exe | |
C:\Windows\System32\asgard2-agent\bin\thor.exe | |
Trace | C:\Windows\System32\asgard2-agent\asgard2-agent.exe |
C:\Windows\System32\asgard2-agent\bin\generic.exe | |
C:\Windows\System32\asgard2-agent\bin\interrogate.exe | |
C:\Windows\System32\asgard2-agent\bin\thor.exe | |
File Hashing | C:\Windows\System32\asgard2-agent\ |
C:\Windows\System32\asgard2-agent\*\ | |
C:\Windows\Temp\asgard2-agent\ | |
C:\Windows\Temp\asgard2-agent\*\ | |
C:\Windows\Temp\asgard2-agent-sc\ | |
C:\Windows\Temp\asgard2-agent-sc\*\ |
2.8. Verify the Downloaded ISO (Optional)¶
You can do a quick hash check to verify that the download was not corrupted. We recommend to verify the downloaded ISO's signature as this is the cryptographically sound method.
The hash and signature file are both part of the ZIP archive you download from our portal server.
2.8.1. Via Hash¶
Extract the ZIP and check the sha256 hash.
Linux:
user@host:~$ sha256sum -c nextron-universal-installer.iso.sha256
nextron-universal-installer.iso: OK
Windows command prompt:
C:\Users\user\Desktop\asgard2-installer>type nextron-universal-installer.iso.sha256
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b nextron-universal-installer.iso
C:\Users\user\Desktop\asgard2-installer>certutil -hashfile nextron-universal-installer.iso SHA256
SHA256 hash of nextron-universal-installer.iso:
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b
CertUtil: -hashfile command completed successfully.
Powershell:
PS C:\Users\user\Desktop\asgard2-installer>type .\nextron-universal-installer.iso.sha256
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b nextron-universal-installer.iso
PS C:\Users\user\Desktop\asgard2-installer>Get-FileHash .\nextron-universal-installer.iso
Algorithm Hash Path
--------- ---- ----
SHA256 EFCCB4DF0A95AA8E562D42707CB5409B866BD5AE8071C4F05EEC6A10778F354B C:\Users\user\Desktop\asgard2-installer\nextron-universal-installer.iso
2.8.2. Via Signature (Recommended)¶
Extract the ZIP, download the public signature and verify the signed ISO:
Linux:
user@host:~$ wget https://www.nextron-systems.com/certs/codesign.pem
user@host:~$ openssl dgst -sha256 -verify codesign.pem -signature nextron-universal-installer.iso.sig nextron-universal-installer.iso
Verified OK
Powershell:
PS C:\Users\user\Desktop\asgard2-installer>Invoke-WebRequest -Uri https://www.nextron-systems.com/certs/codesign.pem -OutFile codesign.pem
PS C:\Users\user\Desktop\asgard2-installer>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" dgst -sha256 -verify codesign.pem -signature nextron-universal-installer.iso.sig nextron-universal-installer.iso
Verified OK
Note
If openssl
is not present on your system you can easily install it using winget: winget install openssl
.