Overview
With Blumira Agent and the Poshim (PowerShell Shim) install script, Blumira can receive event logs directly through the cloud within minutes, and without the need for a server or additional configurations. Devices running Blumira Agent (also called “agent devices”) send logs of remote activity on the Windows operating system to Blumira for detection and response. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.
Requirements
- Your organization must have the Blumira Agent upgrade option on your account; it is not included with any of the standard paid editions.
Note: Blumira Agent is not available in the free edition. - You must be a Blumira Administrator or Manager to generate installation keys and scripts for Blumira Agent.
- You can install Blumira Agent on Windows machines that are running Windows XP 32-bit or higher.
- You must be a Windows administrator to run the installation script in PowerShell.
Before you begin
If your organization is actively blocking outbound traffic or using SSL interception, you must add the following URLs to your allowlist:
- URL used to download the agent:
https://dl.blumira.com/agent/files/blu_agent.exe - URL for shipping Windows and agent logs:
9157798c50af372c.lc.limacharlie.io:443
Installing the agent
Blumira’s Poshim script provides you with a simple process for installing and running Blumira Agent on your remote devices. Obtain a custom script in-app, then run the agent install script in an elevated PowerShell command prompt.
Note: If NXLog or Sysmon are found on the device, Poshim removes those from the device because they are not required for the Blumira Agent and remote Windows logging. NXLog and Sysmon are part of the Poshim installation for advanced Windows logging when you are not using Blumira Agent.
You can create separate scripts with different installation keys, which is especially useful if you manage multiple devices as a group. How many keys you create depends on whether you want to manage the devices as one group for your entire organization or segment your agent deployment using multiple keys.
To create and gather a new installation script:
- Navigate to Blumira Agent > Installation.
- Under Generate agent installation script, click Select installation key.
- Click Create new installation key.
- In the Installation key details window, type a description.
- In the "Device limit for this key" box, type the number of devices you plan to install using the key.
Note: The limit of devices for your organization is displayed below the box for reference. - Click Save changes.
- Copy the script that appears in the box.
- On the device, run the script in an elevated PowerShell prompt.
Validating that Blumira Agent installed successfully
After you run the Poshim install script, the Blumira Agent service runs in the machine’s Task Manager. The agent device also appears in the Devices table in the Blumira app.
To validate that Blumira Agent is installed:
- Verify that the installation status shows as “Successful” in PowerShell.
- Open Task Manager on the machine and search for the file or service using any of the following identifiers:
- Under the Details tab, find the running File Name “rphcp.exe”.
- Under the Services tab, find the service description “Blumira Agent” or service name “rphcpsvc”.
- Under the Processes tab, find the Task Manager human name “refractionPOINT HCP”.
- Under the Details tab, find the running File Name “rphcp.exe”.
- In the Blumira app, navigate to Blumira Agent > Devices.
- In the Devices table, find the row for the newly added agent device.
- In the Agent status column, verify that the device is “Online”.