DeepSurface RiskAnalyzer scans consist of running a series of simple data gathering steps, collecting essentinal information about the security architecture of each device. Whether you are using a user-managed scan, an agent, or an credentialed scan, the data collection steps are roughly the same.
In general, the host OS scanning sequence consists of the following steps:
A temporary directory is created. This directory's permissions are restricted to only administrators or root/Local System users.
A series of scanning steps are executed. In some cases, scripts and supporting files are copied to the temporary directory. The output, error messages, and status codes returned by each script are written to the same temporary directory. The size of these files totals in the tens of kilobytes and should never be greater than one megabyte.
The scan output, error messages, and status codes are sent back to the DeepSurface console.
The temporary directory and all files within are deleted.
At the beginning of a each scan, previous temporary directories are cleaned up in order to ensure no stale files remain if a scan fails partway through (which could happen due to badly timed reboots, lost of network connectivity, or other technical reasons). When using the DeepSurface Agent, approximately 30MB of disk space is required on Windows and perhaps half of that space is needed on Linux and MacOS. When using user-managed scans, no software is installed on each device, but a cache directory is used to keep the latest binaries used so that subsequent scans do not need to download them every time. This cache directory can be deleted at any time.
The scripts/scanning steps executed gather information in the following categories:
Consider adding DeepSurface scans to "allow lists" of your endpoint protection products. While many components of DeepSurface agents, user-managed scans, and credentialed scans are digitally signed by a globally trusted CA, many endpoint protection products disregard this and reject any software they have not observed previously. If your endpoint protection product blocks the scans performed by DeepSurface, please add a file/directory based exception to allow the scan to continue. (More information on directories used by scans is included in the operating system implementation details sections below.) Please also notify your endpoint protection vendor that they should work with DeepSurface to avoid blocking legitimate scans in the future. DeepSurface already participates in "goodware" submission processes with endpoint protection vendors and would be happy to add more vendors to our submission build process.
When scanning your environment for the first time, it is recommended that any Windows domains are scanned before scanning individual host operating systems, since this allows associations to be made between domain users and each host. If some hosts were scanned prior to your domains, a simple re-scan of domain member hosts will suffice to ensure these associations are made.
Windows operating systems can be scanned via user-managed scans (by running a Powershell script), by installing a DeepSurface agent, or by using credentialed scans (leveraging SMB, SMB/WMI, or WinRM).
Many scanning steps require Local System access, which is why the scan is typically launched through a temporary scheduled task or temporary service (a common way for Administrators to run scripts as Local System).
The temporary directory paths used on Windows are of the form %SystemRoot%\TEMP\DeepSurface_{random_string} where {random_string} is a short, randomly-selected value.
In the case of SMB and SMB/WMI scanning methods, data transfers are performed (by default) using the ADMIN$ shared folder. This mimics the behavior of the classic psexec tool from SysInternals. If this share is not available, a new temporary share may be created named deepsurface_tmp$ and is deleted after scanning is finished (this behavior mimics the approach used by popular vulnerability scanners in this situation). Note that in all cases, filesystem permissions are set before files are written to protect the contents of files during scans.
Linux and UNIX operating systems can be scanned using credentials via SSH, by installing an agent, or through user-managed scans that use a shell script.
Linux and UNIX scans use a series of POSIX-compliant shell scripts. Some scripts may be implemented in version-agnostic Python. Some scripts require root privileges to execute, in which case the sudo command may be used to elevate privileges for those specific scripts (as configured by the DeepSurface administrator).
When using the user-managed or agent scanning methods, the software stores configuration, binaries, temporary files, and cache artifacts under /opt/deepsurface/agent.
When scans are run via the credentialed (SSH) scanning method, the temporary directory paths used in Linux/UNIX scans are of the form /tmp/DeepSurface_{random_string} where {random_string} is a short, randomly-selected value.
MacOS operating systems can be scanned via SSH, DeepSurface agent, or via user-managed scans using a provided shell script.
Most scanning steps executed on MacOS platforms are implemented in POSIX-compliant shell scripts. Some scripts may be implemented in version-agnostic Python, zsh, or Perl. Some scripts require root privileges to execute, in which case the sudo command may be used to elevate privileges for those specific scripts (as configured by the DeepSurface administrator).
When using the user-managed or agent scanning methods, the software stores binaries, temporary files, and cache artifacts under /Library/Deepsurface/DSAgent. Configuration settings are stored under /Library/Application Support/DeepSurface and logs are stored under /Library/Logs/DSAgent.
When scans are run via the credentialed (SSH) scanning method, the temporary directory paths used in MacOS scans are of the form /tmp/DeepSurface_{random_string} where {random_string} is a short, randomly-selected value.