A unified software component installed on protected devices (computers, laptops, servers, and virtual workstations) that enables continuous monitoring and analysis of system events, detects attacks at early stages, and simplifies vulnerability detection.
/products/endpoint/MaxPatrol EDR
/products/mp-vm/MaxPatrol VM
/products/mpsiem/MaxPatrol SIEM
/products/sandboxPT Sandbox
Endpoint agent
A technology that provides continuous monitoring and analysis of system events on endpoint devices, such as employee laptops, company computers and servers, and virtualized workstations.
01
Overview
Key agent capabilities
02
Why use host agents?
Endpoint devices are a common attack vector
Attackers use phishing along with application and OS vulnerabilities to initiate attacks. Detecting such events early, before they spread across the network, is critical for organizational cyber resilience.
Spread of ransomware, infostealers, wipers, and RATs
Attackers use increasingly sophisticated tools designed to bypass traditional host-based defenses (such as AV and EDR). Static methods (for example, file signature analysis) are no longer sufficient. Attackers abuse legitimate tools (PowerShell, bash) to hide their tracks, persist in the network, and achieve their goals.
Security and IT teams rely on fragmented tools
Some systems require WinEventLog collectors, others need AuditD, and some demand additional accounts for data collection. This fragmentation requires time and expertise for setup, maintenance, and integration with monitoring systems.
Some devices are outside the network or domain, beyond security visibility
Devices of remote or traveling employees, as well as unmanaged devices, operate beyond IT visibility and do not send data to SIEM systems or vulnerability scanners.
03
Positive Technologies endpoint agent
More than just a sensor
Agents don't just collect telemetry, but also operate autonomously, using functional modules that run directly on devices. They perform static and behavioral analysis and respond to threats without needing a management server, internal network, or internet access. This architecture secures remote devices outside the domain and perimeter defenses.
Flexible configuration
Module configurations are defined in device and group policies. You can add or remove modules, enable or disable them, and select their functionality:
- Monitor-only mode (for example, for critical systems or executive devices)
- Reduced load for low-performance hardware
- Independent module updates without full product upgrades
Broad OS support
The agent is compatible with Windows, Linux, and macOS. It can be deployed via the management server interface or centralized tools (SCCM for Windows; Ansible, Puppet, Salt, Chef, and Terraform for Linux; Jamf for macOS).
Delivery and installation modules
These modules deploy and configure applications, as well as manage monitoring tools (including Sysmon, auditd).
Collection modules
These modules gather device event data (including at the OS kernel level) and send it to detection modules and MaxPatrol SIEM.
Detection modules
These modules analyze events, detect malicious activity, and log security events. They use correlation engines and YARA scanning for static and dynamic analysis. They can also send files to PT Sandbox, and the results are synced across all agents with the same policy.
Response modules
These modules mitigate threats by:
- Quarantining or deleting files
- Terminating processes
- Isolating nodes (full or partial network disconnection)
- IP blocking
- DNS sinkholing
- Remote command and file operations
04
Agents in Positive Technologies products
Thinking about the best way to protect your company?
Contact us.
During the consultation we'll propose a solution precisely tailored to your organization.