FAQ: Red Cloak™ Endpoint Agent
Which Operating Systems Is Red Cloak™ Endpoint Agent Supported on? ⫘
How Much Network Bandwidth Is Required? ⫘
The Red Cloak™ Endpoint Agent usually consumes just a few megabytes per day per endpoint, usually below 5MB. Under certain conditions, some hosts may emit more traffic, but it is rare.
What Is the Footprint of Red Cloak™ Endpoint Agent on the Host and Network? ⫘
During periods of scanning, CPU usage by the Red Cloak™ Endpoint Agent is known to increase. The following table outlines the system resources and general utilization of each:
|Typically runs with Low CPU Priority
|Averages < 100MB with limit of 600MB
|Typically uses less than 5MB per day
|Limited to 300MB
In VDI containers, the agent requires at least one physical CPU per instance. Endpoints with higher than usual network traffic might experience higher CPU load. CPU usage percentage is unbound by default. The system is polled every ten seconds to check CPU usage levels. If the level is above the usage threshold, which is unbound by default, the process is suspended for ten seconds.
These settings are configurable when building a package or through RC configuration updates.
Why is the Red Cloak™ Endpoint Agent Running Multiple Processes? ⫘
This is expected behavior of the Red Cloak™ Endpoint Agent. The multiple processes represent different modules being utilized. If using Windows, you can right-click the process from within Task Manager and select Properties to display the module related to the process. More information on the modules you may see can be found in the Red Cloak™ Endpoint Agent Technical Details topic.
It is also possible for a module to have multiple processes running, but as the Red Cloak™ Endpoint Agent runs with low CPU priority, this should not consume CPU needed by other processes.
What Response Actions Does Red Cloak™ Endpoint Agent Support? ⫘
Secureworks® Taegis™ XDR allows administrators to take the following response actions:
- Isolate a host - Only supported on Windows
What Types of Data Does Red Cloak™ Endpoint Agent Collect from the Host? ⫘
The Red Cloak™ Endpoint Agent collects a whole host of endpoint telemetry that is analyzed to identify threats and their associated behaviors. The following information is continuously captured and sent back to the Secureworks Data Center for analysis:
- Processes and command-line parameters
- Thread injection events
- Files such as binaries, executables, DLLs, etc
- Registry modifications
- Network connections
- DNS requests
- Windows Logs
- Disk and Memory artifacts
My Antivirus Product Blocked Red Cloak™ Endpoint Agent. What Should I Do? ⫘
Antivirus products monitor systems for unusual modifications to the operating system or installed software. One example of such modification would be Red Cloak™ Endpoint Agent data files created by its processes. Even though the Red Cloak™ Endpoint Agent DOES NOT modify anything that belongs to the operating system, some AV/malware protection products can consider the Red Cloak™ Endpoint Agent's own files' modifications as malicious behavior and block or stop the processes. Below are suggestions for resolving this issue.
We recommend you add the following folders that belong to Red Cloak™ Endpoint Agent by default to be excluded from AV scanning and/or add them to an allowlist/safelist.
%ProgramFiles(x86)%\Dell SecureWorks\Red Cloak\
Trend Micro OfficeScan ⫘
A feature of the Trend Micro OfficeScan Endpoint Protection product is Behavior Monitoring. By default it is OFF and set to Allow Access in response to certain type of events. However, some company protection policies are requiring to have this settings tightened up to provide more secure and less vulnerable systems. Since all components of the Red Cloak™ Endpoint Agent are digitally signed and verified, and with this designed behavior, the Red Cloak™ Endpoint Agent should be treated as a non-malicious application and excluded from periodic scans or real-time-blocking/protection.
For directions on Configuring Malware Behavior Blocking, Event Monitoring, and the Exception List see the following Trend Micro article. When defining an Exception List for the Red Cloak™ Endpoint Agent, two directories should be excluded. The default installation directory for the Red Cloak™ Endpoint Agent which is
%ProgramFiles(x86)%\Dell SecureWorks\Red Cloak\ and directory
%ProgramFiles(x86)%\Dell SecureWorks\Ignition\ which is the default directory of the Ignition update module.
Trend Micro Security ⫘
Trend Micro Security may mistake Red Cloak™ Endpoint Agent as an undesired program. To configure Trend Micro Security's Exception List allowing the Red Cloak™ Endpoint Agent to operate, see How to add items in Trend Micro Exception List.
What Are the Recent Changes in the Red Cloak™ Endpoint Agent ? ⫘
See Red Cloak™ Endpoint Agent Changelog for version updates.
How Do I Deploy Red Cloak™ Endpoint Agent? Can I Use My Own Software Distribution System? E.g. Landesk, Gpo, Sccm? ⫘
The recommended way to deploy is to use your existing host management system. Secureworks provides an MSI package that embeds a configuration specific to your network. This package can be deployed through group policy or other similar means. Secureworks can also provide a standalone executable that can be added to domain logon scripts if an MSI is inconvenient. We support most, if not all, distribution systems.
What Are the Default Resource Limits for the Endpoint Sensor? What Happens When a Resource Limit Is Triggered? ⫘
The default disk usage limit is 300MB of local storage. The default memory working set limit is 600MB. The sensor typically runs with Low CPU Priority; therefore, higher priority processes always take precedence. However, if no other processes are running or are idle, the Red Cloak™ Endpoint Agent sensor uses available resources. CPU usage percentage is unbounded by default. These settings are configurable when building a package or through configuration updates. There are severity levels to each resource limit that become more aggressive as higher limits are reached. For example, when the disk usage limit is triggered at low severity non-essential files are cleaned up, such as logs or local cached data. At a drastic severity all files are removed. When a memory limit is triggered, there are similar levels to disk limits. At different intervals, actions, such as clearing cached data in memory or suspending processes are taken. CPU limits are calculated periodically and, when triggered, puts to sleep or suspends the process for a time period. CPU utilization is checked to avoid constantly checking usage. The system is polled every ten seconds to check usage levels. If the related process is above the usual usage threshold, which is unbounded by default, the process is suspended for a penalty interval of ten seconds.
Are There Any Dependencies? ⫘
The Red Cloak™ Endpoint Agent for Windows is completely self-contained. It requires no DLLs or assemblies other than those that come with a base Windows system. When installing the Red Cloak™ Endpoint Agent for Linux, there are dependencies that can be resolved automatically by using yum. For more information, see Linux Agent Dependencies.
What Network Connectivity Is Required? ⫘
Please refer to Red Cloak™ Endpoint Agent Installation for connectivity requirements.
What OS Platforms Are Supported? ⫘
For information on supported operating systems, see Red Cloak™ Endpoint Agent Supported Operating Systems.
How Often Are Red Cloak™ Endpoint Agent Software Updates Available? ⫘
Secureworks continuously updates Red Cloak™ Endpoint Agent with the latest enhancements available to our clients. Updates and their associated end-of-life dates will be made available to the client in advance so you can upgrade as needed.
How Often Is New Intelligence Added to Secureworks® Taegis™ XDR? ⫘
How Do I Get Assistance with Red Cloak™ Endpoint Agent? ⫘
You can request product support for all issues not related to security alerts (i.e. performance issues, unexpected issues, etc.) according to our Support Policy.
When requesting support for Red Cloak™ Endpoint Agent, provide the Red Cloak™ Endpoint Agent logs located at:
C:\Program Files (x86)\Dell SecureWorks\Red Cloak\*.log
C:\Program Files (x86)\Dell SecureWorks\Ignition\*.log
How Does Red Cloak™ Endpoint Agent Proxy Discovery Work? ⫘
If the Red Cloak™ Endpoint Agent is unable to connect directly to the internet, it attempts to discover local proxy settings on the host using all registered user profiles by checking:
- MSIE settings
- Firefox settings
- winHTTP to detect proxies
What Potential Scenarios May Arise from Running Two Secureworks® Taegis™ XDR Supported Endpoint Integrations? ⫘
If you run Red Cloak™ Endpoint Agent as well as third-party supported endpoint software (like Carbon Black, CrowdStrike, or Microsoft Defender), and if the third-party integration is connected to Secureworks® Taegis™ XDR, then you may experience the following scenarios:
- Duplicate Alerts: If two agents are gathering similar telemetry from the endpoint, it could potentially lead to duplicate alerts in Secureworks® Taegis™ XDR. You can minimize this impact by either suppressing those duplicate alerts or generating a custom Red Cloak™ Endpoint Agent with certain modules disabled for your scenario. Please contact support for generation of a custom Red Cloak™ Endpoint Agent if needed.
Agent Performance: If the Red Cloak™ Endpoint Agent is not safelisted in the third-party endpoint application, then that could cause performance or compatibility issues on the endpoint/host. If that is the case, ensure you safelist the following Red Cloak folders on the third-party endpoint application side:
%ProgramFiles(x86)%\Dell SecureWorks\Red Cloak\