Anyone know why the cloud agent isn't enumerating the Local Admin group with Cloud Agents? It enumerates other groups, but not this key group.....
Is there a list of known QID's that the agent isn't capable of doing at this time?
Im hoping someone else has had this issue?
I do not believe the CA supports is because you would need something actually performing the enumeration, and since the agent lives on the host, it can not. On the other hand, if using a virtual scanner, the scanner can actually attempt to perform it against a host.
If you go to the knowledgebase tab and do a search, you can filter based on a lot of good details including weather a QID is supported by the CA. Also, if you look at any QID details, it will say which module is supported by it.
Example: If I look at Microsoft Cumulative Security Update for Internet Explorer (MS16-084), and go to the details tab I see
Supported Modules:VM,CA-Windows Agent
Hope this help!
The CA can enumerate (dump) local group members. It already does Backup Operators, Replicator, and Network Configuration Operators, so not sure why Administrators was left out. I know the CA just executes commands locally to get its info, dumping the members of the Local Admin groups is as simple as "net localgroup Administrators". The QID is 105231 Administrator Group Members Enumerated", and the supported modules are VM,CA-Windows Agent. Looks like ill have to open yet another agent related ticket.
So something interesting. I have a duplicate agent, one from when I was testing last year. I never removed it from the cloud platform. The other agent is the current one. Same machine, different ID's. The old stale agent HAS the "Administrator Group Members Enumerated" showing as an informational finding. The new one does not. So, at one time, the CA was detecting the local admin members.
Any updates to this issue that is still occurring?
See Cloud Agent - Enumerate Local Admins
Retrieving data ...