Perform the following to build the MSI.

Download, install and configure the latest Snare Agent on the machine you are building the MSI on.
Download the latest version of Snare for Windows Custom MSI from the SLDM portal. The file is called MSI3.1.0.zip (where 3.1.0 is the version, and may vary)
Ensure all requirements and pre-requisites have been met (Requirements - Snare MSI Documentation v3 - Confluence)
Unzip MSI3.1.0.zip onto your local computer. This will extract the file MSIBuilder.exe.
MSI may be created from any directory on your local computer, for example C:\msi. In this msi folder add the following:
- MSIBuilder.exe
- a copy of the Snare .exe installer (e.g. Snare-Windows-Agent-v5.7.1-x64.exe)
- the license file (optional)
- template.inf (optional .inf file created from an existing agent and used with option 'Use configuration from an existing file')
- Sysmon executable, i.e. Sysmon64.exe (optional, if user wishes to deploy Sysmon side-by-side with Snare Agent. Note: Sysmon is a 3rd party tool, not maintained or distributed by Intersect Alliance.
- Sysmon configuration file (optional, if custom configuration of Sysmon is required)
  
  Starting from Snare for Windows Custom MSI version 3.1.0, it is possible to include Microsoft Sysmon in the same MSI package with Snare Agent for easy deployment via Group Policy.
  Sysmon is a 3rd party tool for System Monitoring that is not distributed or maintained by Intersect Alliance or Snare Development Team.
  Customer will need to download Sysmon themselves, and optionally configure it as per their needs, prior to packaging it in MSI with Snare Agents.
To execute the creation of an MSI file, open a command prompt as Administrator from the \msi directory and type:
> MSIBuilder.exe
A check for the WIX installation is performed, followed by the prompts:
- Select Product - agents that are currently installed are displayed. Select the number for the corresponding product. Click Enter.
- Select Agent configuration method - Select from:
  - 1) Use configuration of local agent By default, the build process will export and use the settings of the locally installed agent.
  - 2) Use configuration from an existing file template.inf should already be in current directory.
- Upgrade or Reinstall the target machine's agent - Select from:
  - 1) Upgrade This produces an MSI that upgrades an existing agent, and leaves existing settings/objectives unchanged. If no existing installation is detected, the installer will abort with error.
  - 2) Reinstall This produces an MSI that either installs a new agent or overwrites an existing agent installation, and resets settings/objectives to settings selected in the previous step.
- Select installer exe to be added to the MSI - Any supported Snare executable files found in the \msi directory will be listed. If only one file is found in the Snare installation folder then that file will be listed. Select the number for the corresponding product.
- Select License file option - Select from:
  - 1) Use a license file If selected will display a list of available licenses found in the MSI directory.
  - 2) Do not use a license file Will ignore the listing of licenses.

The options below, related to Sysmon are only available in MSIBuilder version 3.1.0 or newer.

- Include Microsoft Sysmon in this MSI - Select from:
  - 1) Yes, I agree to Sysinternals Software License Terms as outlined in the Eula.txt file downloaded with the Sysmon package from a trusted source. By selecting this option you acknowledge that you have read, understood and agree to be bound by the terms and conditions of EULA as published by Microsoft with Sysmon tool. If you do not accept this EULA, please select No.
  - 2) No, I do not wish to install Sysmon, or I do not accept Sysmon EULA
    
    If option 2, "No...", is selected, the next three steps related to Sysmon will be skipped.
- Select Sysmon file to be added to the MSI - this option is displayed only if option 1 was selected above, and allows to select Sysmon executable file to be included.
- Would you like to set Sysmon configuration (Y/N) - this option is displayed only if a Sysmon executable was selected in the previous step. Enter Y for YES if you wish to use custom Sysmon configuration XML file, otherwise enter N.
- Input the Sysmon configuration file - this option is displayed only if Y was selected in the previous step. Enter the name of the Sysmon configuration file located in \wix directory. For example SysmonConfig.xml
- Summary of Selected options - A summary of options selected is displayed, followed by the building of the MSI.
  
  Note
  
  The yellow font in the console output is from other triggered programs, such as the Snarecore service, WIX or Candle.

7. On completion the MSI file is created. Press Enter to exit.

8. The log file is written into the \msi directory and is called MSIBuilder.log

9. The customized MSI is available in the \msi directory, for example C:\msi\ SNARE ENTERPRISE AGENT v5.1.0[reinstall].msi

If the version of the Snare.msi detects a newer version of the agent it will not upgrade the software. A reinstall will always replace with the version that is being installed.

Test the MSI

For systems running User Account Control (UAC), you will need to test the MSI from within a "Run as Administrator" Command Prompt.

To install the MSI, type the following from the command line:
>msiexec /i SNARE ENTERPRISE EPILOG v5.1.0[upgrade].msi

Upon execution you will see the following dialog box:

To include logging, on a deployment, (recommended for acceptance testing) type the following from the command line:
>msiexec /l*v [logname].log /i [msiname].msi

To ensure the agent is working correctly, check the Latest Events page in the web UI of the Snare agent.

To uninstall the MSI, type the following from the command line:

>msiexec /x SNARE ENTERPRISE EPILOG v5.1.0[upgrade].msi

If running this command shows the error then running the same install command again will silently uninstall the Snare

>msiexec /i SNARE ENTERPRISE EPILOG v5.1.0[upgrade].msi

Ensure the MSI is tested before use in production networks.
[For Snare MSI Builder versions earlier than 3.1.0]: A snare MSI can do the installation only once. Same snare MSI run twice will uninstall the existing installation. Create and use a new snare MSI for each installation. This limitation does not apply to Snare for Windows Custom MSI v3.1.0 or newer

Browser not supported