To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Computer Protection integration with RMM software

maaretp
maaretp Posts: 62 W/ Former Staff
edited June 2024 in Elements Endpoint Protection (EPP)

We have received a number of queries asking about RMM (Remote Management and Monitoring) support with Computer Protection endpoints.


This community post:
- Introduces RMM with Solarwinds and RMM with Kaseya to support new people in getting started with it
- Invites partner and user feedback on improving our RMM support

 

The Foundation for RMM Support


F-Secure Computer Protection endpoint includes a WMI (Windows Management Interface) functionality that exposes a selected set of information in a commonly used format. As a supported interface, it includes a promise for us to keep this interface consistent even when we are changing the internals of the applications.

WMI is the core of RMM Support as the interface that provides the necessary information. For RMM support to work, WMI must be turned on. Out of the box, WMI is turned off and administrators need to assign a profile with WMI on for RMM purposes.

Where we have built Protection Service for Businesses Portal as optimized for our fleet of security products, RMM solutions offer a more generalized set of remotely managing and monitoring software in large organizations on top of the details F-Secure PSB Portal does. It enables seeing many kinds of software in a concise view, with selected subset of information and functionalities.

Support for Solarwinds MSP RMM

 

Applies to:

  • F-Secure Computer Protection 19.4+
  • F-Secure Server Protection 19.4+
  • F-Secure Client Security 14.00+
  • F-Secure Server Security 14.00+

Scenario 1: Installation of Computer Protection

The Solarwinds portal includes a "Push 3rd party software" node. Installing with a command line installer option for silent install, including the licence voucher in the installer name allows for distributing Computer Protection.

Scenario 2: Monitoring Windows Devices with Computer Protection

There are six stock monitoring services related to F-Secure that are available in the Solarwinds MSP portal and also described in their documentation:
https://secure.n-able.com/webhelp/NC_11-0-0_en/Content/Help_20/Services/FSecure/Services_FSecureProtection.htm

They display the information extracted from WMI Interface.  All this information can be added to dashboards. Ensure WMI is first enabled in PSB Portal.

 

image2019-1-7_17-5-46_scenario2a.png

image2019-1-7_17-8-16_scenario2b.png

Scenario 3: Running tasks with Computer Protection

The Solarwinds portal allows for running tasks exposed through WMI or AMP (Powershell). Our WMI exposes only one method, Scan Computer.

Users of Solarwind are also free to implement Powershell scripts for specific task running and information collection needs. Our solution does not include any of those.

Scenario 4: Alerts

The "thresholds" for monitored parameters can be configured by standard means of the Solarwinds portal. For example, if the "Real Time Scanning" parameter does not contain the "Turned_On" string, a warning is issued, as seen in the screenshot above.

The administrator will then see it on the Active Issues node of the portal.

Scenario 5: Reports

Simple reports are possible based on monitored metrics.

image2019-1-7_18-49-37_scenario5.png

 

Support for Kaseya RMM

 

Applies to:

  • F-Secure Computer Protection 19.4+
  • F-Secure Server Protection 19.4+
  • F-Secure Client Security 14.10+
  • F-Secure Server Security 14.00+

Scenario 1: Installation of Computer Protection

 

 You can add either a network installer or an offline MSI package to the Kaseya's Software Catalog.

 

kaseya_1.png

 

To detect a deployed instance of the software, you can specify the following registry key as a scan item:
(for 32-bit Windows) HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\OneClient
(for 64-bit Windows) HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\F-Secure\OneClient

 

Scenario 2: Monitoring with Monitor Sets

 

Kaseya allows you to create Monitor Sets for monitoring Windows services and processes.
You can add the following F-Secure Computer Protection services to your Monitor Sets:

 

  • fshoster
  • fsnethoster
  • fsulhoster
  • fsulorsp
  • fsulnethoster
  • fsulprothoster

kaseya_2.png

 

Scenario 3: Scheduling agent procedures

 

F-Secure Computer Protection includes the WMI Provider component to enable an integration with various RMM systems.

 

The documentation on the exposed WMI classes together with some use case examples can be found here.

 

Alternatively, you can download and import the pre-created set of the agent procedures here.

 

kaseya_3.pngkaseya_4.png

 

In case of any failures detected by the agent procedures, the alerts are issued:

 

kaseya_5.png

 

The description of each agent procedure can be found here.

 

Inviting Your Feedback

We recognize our RMM support is founded on information we have decided to reveal on the WMI and would welcome your feedback on our choices of what we make available. Are you missing something we don't make available? Are you using something you self-created that other administrators would benefit from if we improved the product?

Our idea queue holds these items that we could take forward based on feedback:

 

  • On access scanning results are not shown through WMI. We have one manual scanning actions available with WMI and show only results of that specific scan through WMI. Perhaps having a fuller status is more needed that we have given it credit for?
  • We have only one action available with WMI: running a malware scan. Would other actions be needed? We have thought about WMI primarily as an interface for *monitoring* purposes. Is that a fair assumption with respect to what you need?
  • We focus on reporting status when the product is running and are more unclear on how things are shown through WMI when an installation of the product is broken. Has this turned out to be something you look for when managing the product with WMI or through a RMM solution?

We know we don't know all of it, and we know we also forget to mention some of the things you have shared with us in our summaries. Take this as an opportunity to specifically provide us feedback on a focus area we want to understand: the RMM support.

 

On behalf of the R&D team responsible for Computer Protection endpoint development,

      Maaret

Comments

  • Petes
    Petes Posts: 3 Security Scout

    I would like to build an agent to use in a few monitoring envionments.    The onles I would like to support is  Graylog, Datadog, and ADT IQ.   I beleve the most compatable method would be through syslog.  

    Ideally this would support Windows, Mac and Linux

  • kiryvl
    kiryvl Posts: 4 Security Scout

    Hi, Petes

    Do you mean you would like our Windows  end-point client to write some monitoring events to Windows Event Log?

    Best regards,

    Vladimir

Categories