Eclypsium Frequently Asked Questions

Eclypsium Frequently Asked Questions

General

  1. How is Eclypsium structured?
The Eclypsium solution features a centralized Administration and Analytics Service that communicates with multiple Scanners deployed on monitored systems.
  1. Analytics Service:
This component can be hosted on a public or private cloud instance or installed on a physical system on-premises.
  1. Scanners:
These are deployed directly on the systems being monitored. They collect data from these systems and transmit it to the Analytics Service.
The results of the Analytics Service can be managed via a web interface or REST API.

Device Scanner

1. Which operating systems are supported by the Scanner?
The Scanner supports 64-bit versions of Microsoft Windows, Linux, and macOS.

2. How is the Scanner distributed and deployed on monitored hosts?
The Scanner is provided as installer packages tailored to each operating system.
  1. For Microsoft Windows, it is available as EXE and MSI installers.
  2. Deployment can be managed using commonly used endpoint management systems such as Microsoft SCCM, IBM BigFix, or Tanium.
For detailed installation instructions, refer to the relevant sections: Installing on Windows, Installing on Linux, or Installing on macOS.

3. How is the Scanner installed?
The Scanner can be deployed in one of two modes:
  1. Persistent Deployment Mode:
The Scanner is permanently installed on the system for continuous monitoring.
  1. Ephemeral Deployment Mode (Scanner Mode):
The Scanner runs temporarily as a standalone application.
On Windows, the Scanner can be launched directly using PowerShell or the Command Prompt after deployment.

4. What components are installed on each system?
The Scanner includes:
  1. An Application - handles communication with the Analytics Service.
  2. A Kernel Driver - collects detailed information about the system’s hardware and firmware.
  3. A System Service - manages and performs continuous monitoring of the system.
5. What data does the Scanner collect?
The Scanner gathers a comprehensive set of data from monitored systems, including:
  1. Basic information identifying the system (e.g., IP address, MAC address, host name) and Operating System (e.g., vendor, version).
  2. Detailed information about the hardware and firmware (processor, chipset, devices, firmware vendor, release dates, system and device manufacturers and models, etc.).
  3. Certain hardware configuration (CPU, chipset and I/O registers) required to assess vulnerabilities and abnormalities, which may indicate firmware or hardware implants.
  4. Firmware components (UEFI firmware, BIOS, Intel ME/AMT firmware, BMC firmware, and other types of firmware).
  5. Bootloaders, including Master Boot Record, EFI GUID Partition Table (GPT), and bootloaders stored on EFI System Partition (ESP). 
  6. PCI/PCIe device Option (Expansion) ROM firmware. 
  7. Configuration and structures related to firmware components (ACPI tables, UEFI configuration and runtime tables, UEFI variables, SMBIOS tables, etc.). 
  8. Trusted Platform Module (TPM) state, including values stored in Platform Configuration Registers (PCR).
6. How are requests sent to the Scanner?
The Eclypsium Analytics Service schedules requests using a REST API.
  1. For systems with persistent deployment, the Scanner periodically checks (every 30 minutes by default) for any scheduled requests.
  2. In ephemeral deployments, the Scanner can check for requests using the -ht option.
7. Does the Scanner software impact system performance or consume significant resources?
The Scanner software is designed to have a minimal impact on system performance:
  1. General Operation:
    1. The Scanner collects data about firmware and hardware and monitors certain runtime hardware configurations and behaviors.
    2. These operations are not resource-intensive compared to typical security agent software.
  2. Occasional Resource Use:
    1. At infrequent intervals (e.g., once or twice a month), the Scanner may extract firmware binaries or blobs from devices using hardware interfaces.
    2. During this process, the Scanner may temporarily consume higher CPU and I/O resources than usual. However, this impact is still relatively minimal and does not significantly affect overall system performance.
8. Why am I seeing errors like dpkg: warning: version XXXX has bad syntax: invalid character in revision number when installing the Eclypsium Driver RPM package?
This issue occurs due to a DKMS bug that is triggered when /usr/sbin/dpkg is present on systems running an RPM-based distribution, such as CentOS. The bug was reported on here.
  1. The warning itself is harmless and can be safely ignored.
  2. Alternatively, you can remove the dpkg package from your system to prevent the bug from being triggered.
9. Why am I seeing the error Module build for kernel XXXX was skipped since the kernel headers for this kernel do not seem to be installed when installing the Eclypsium driver package?
This error occurs because the driver package uses DKMS to automate driver builds, which require the presence of matching kernel headers for the target kernel.

Cause:
  1. The Linux driver build process depends on kernel headers corresponding to the currently running kernel.
  2. In some cases, the system’s kernel headers package may be updated to a newer version than the kernel currently running on the system.
  3. When the kernel headers do not match the running kernel, DKMS cannot build the driver.
Solution:
  1. Update the kernel, to the latest version, ensuring it matches the installed kernel headers.
  2. Restart the system and run it with the new kernel.
Once the running kernel and kernel headers align, the driver build should proceed successfully.

10. What TLS CA certificate bundle does the Scanner use to verify the Analytics Service’s certificate?
  1. On Linux:
The Scanner installer first looks for certificate bundles in standard locations (e.g., /etc/ssl/certs/ca-certificates.crt). If no certificate bundle is found, it will fall back to using the Mozilla CA certificate store, which is downloaded from https://curl.haxx.se/docs/caextract.html. This bundle is included with the Scanner and used by default if no other certificates are available.
  1. On macOS:
The Scanner always uses the Mozilla CA certificate store bundled with the Scanner.
  1. On Windows:
The Scanner relies on WinSSL and uses the system’s certificate store.

    • Related Articles

    • Solution Overview

      As defenders focus on traditional software threats, adversaries have shifted to targeting firmware in servers, laptops, and networking equipment—areas where security teams lack visibility and control. By exploiting vulnerabilities, compromising the ...

    • Uninstalling a Sepio Agent

      Windows Go to Windows Control Panel ->Programs and Features ->Uninstall a program ->SepioAgent->Uninstall Navigation paths vary depending on your Windows version. Linux Run the LinuxUninstall[Deb/RH].sh script in the SepioFiles/Logs directory ...

    • Installing a Sepio Agent

      This article explains how to install and uninstall a Sepio Agent on a Host. The Sepio Agent is a security tool that provides in-depth visibility and enforces policies on assets built into and connected to the Host. The Platform Management system ...

    • Platform Requirements

      The preferred deployment mode for the Sepio Platform is SaaS. Customers that are required by internal regulations or compliance mandates to run from their own premises (on-premises) can install and manage Sepio. Please contact ...

    • Download and Installation

      This article outlines the process for downloading and installing the Endpoint Sensor (EES) packages across various operating systems, including Windows, Linux, and macOS. It provides step-by-step instructions for acquiring the necessary files, ...