Centralized Agent Upgrades

Owned by Svetlana Sheptiy
Last updated: Mar 21, 2023
5 min read

Warning

As of version 5.1, only the Snare Enterprise Agent for Windows and Snare Enterprise Agent for Windows Desktop may use this upgrade feature.  Agents must be at least version 5.1 to use the upgrade feature.

Warning

Due to a defect in Snare Enterprise Agent for Windows v5.3.0 and Snare Enterprise Agent for Windows Desktop v5.3.0 it is not possible to upgrade the agent from this version using the upgrade feature.

Overview

Version 1.1.0+ of Snare Agent Manager introduces the ability to perform SAM upgrades of agents to a newer agent version. This allows central management of agent upgrades and reduces the amount of manual administration that is required in order to maintain snare agents for security compliance.
This licensed feature requires a license with IA_SAM_UPGRADE enabled on it, and in the customer portal, SLDM, it is displayed as Remote Agent Upgrade for the SAM Key License.
If you do not have this license, Upgrade Agents option will be disabled (grayed out). To obtain this license please contact your sales representative. 

Customers with a Snare Central Server v7.5+ or an Agent Management Console will have this Remote Agent Upgrade feature available.


The upgrade process has been designed to:

  • be secure,
  • have a low impact on network bandwidth,
  • supports multiple agents and agent versions upgrading at the same time and
  • provides fine grain control as to which agents are upgraded.

In order for this feature to be usable there is a number of prerequisites that must exist.  These are:

  • the upgrader subsystem must be licensed
  • the installed agent must be at least v5.1.0
  • the agent must be running with permissions of "LOCAL_SYSTEM" on the machine
  • the agent must be communicating with a SAM
  • a newer version of the agent must be installed into the SAM upgrade screen and enabled (see Installing New Releases section below)
  • the upgrader subsystem must be enabled
  • only the Snare Enterprise Agent for Windows and the Snare Enterprise Agent for Windows Desktop may be upgraded

With the above prerequisites performed, the user is able to select which agents may be upgraded in the SAM.

Managing The Upgrader Subsystem

Navigate to Settings | Upgrade Agents to manage the releases available in SAM.

The following settings are available:

Settings

Status. The status of the entire upgrader subsystem.  If enabled, SAM will allow agents to be upgraded.

Concurrent upgrade threshold. This is the number of agents that may be upgraded at any time.  Default is 4 agents. Click Update to change this value. With a large number of agents, upgrading all the agents at once may impact on both network resources as well as the resource that SAM requires in order to distribute the upgrades to the agents.  Hence the user is able to configure the maximum simultaneous agents that can perform an upgrade at any one time. Agents waiting for an upgrade will show up in an pending state until there is a spare concurrency slot in which they can upgrade.

Error threshold. This is the number of failures that will be reached before pausing the upgrades.  Default is 4 errors. Click Update to change this value. As a safety measure, the Snare Agent Manager monitors when agents fail to upgrade. This could be due to a number of reasons, such as lack of permissions, network outages, etc. If a failure does occur, the SAM records the failure and marks the agent as a failed upgrade. If the Error threshold limit is hit, the updater subsystem enters an 'Auto Disabled' mode and all agents scheduled for upgrade become paused. This allows the user to investigate the causes for the failures.  Once the errors have been investigated, the user can clear a failed upgrade on an agent by clicking 'Cancel'. Once the errors have dropped under the Error threshold, the user can re-enable the Upgrader subsystem.  For safety and performance reasons, the error threshold cannot be raised above 100 failed agents.  Note: It is possible for the amount of failed agents to exceed the error threshold by more than one depending on the concurrency setting configured in the updater subsystem.

All errors found on agents may be cleared by clicking Clear Failed Upgrades.

Upgrade Timeout. This is the time (in minutes) since the beginning of agent upgrade, after which the upgrade will be considered failed if the agent did not communicate with SAM again. Default is 60 minutes. 

Releases Directory. This is the path to the releases directory.  This is where the release metafile (*.txt) and the agent binary (*.exe) is required to be added on the system hosting SAM.
The default path is: 

  • for standalone installation of SAM on Windows:  C:\Program Files\Intersect Alliance\Snare Agent Manager\Upgrades

  • for SAM running on Snare Central Server:  /data/Snare/Upgrades

Click Update to change this path.

Note

If the Releases Directory path does not exist, please create it prior to using it.

About Metafiles

Security is a key consideration with the creation of the upgrade subsystem. The subsystem has been designed so that upgrades are validated all the way from the installation of the release executable into SAM, to the final installation of the installation on the agent machine.  This source→target validation occurs via signed meta files.

In order to install a new release into SAM, both the executable and a signed metafile for the executable are required.  Each metafile is validated against an internal signature in SAM to confirm it is a legitimate Intersect Alliance metafile.  This metafile is then used to validate the executable is a legitimate Intersect Alliance product.  Only if both the metafile and the executable match will the release be available in SAM as a release.

Likewise when the agent is instructed to upgrade from SAM it obtains both the signed metafile and the executable from the SAM. These are verified again by the agent before the upgrade is allowed to install.

Releases

Scan for new/existing releases. Click this to scan for any new or existing releases.  It will search in the Releases Directory set above.

How to add releases to Snare Agent Manager.  Details on how to add a release, scanning, enable the deployment, and to finally deploy it.  Click Hide to not display this information.

Scan Status.  The status of the scan.

Last Scan.  The last time the release directory was searched for a release.