Agentless scanning refers to the process of evaluating and analyzing systems, networks, and devices without the need to install any software agents on the devices being scanned. This approach uses network-based techniques to gather information and assess the security posture or compliance status of the target systems.
Key characteristics and benefits of agentless scanning include:
Agentless scanning in Microsoft Defender for Cloud collects data from virtual machines (VMs) using cloud APIs. It takes snapshots of VM disks, performing an out-of-band analysis of the operating system configuration and file system without affecting the VM. The metadata extracted from these snapshots is analyzed to detect configuration gaps and potential threats. Snapshots are deleted after metadata collection, ensuring minimal data retention. This process supports broad visibility, vulnerability assessment, secret scanning, and threat detection without installing agents or impacting performance.
Choosing between agentless and agent-based scanning in Microsoft Defender for Cloud largely depends on your specific use case and environment. Each approach has unique features and benefits that can align differently with your security needs. To aid in making an informed decision, I have compiled a comparison of key features and advantages of both agentless and agent-based scanning. This comparison will help you understand which option may be best suited for your cloud security strategy.
Feature | Agentless Scanning | Agent-Based Scanning |
---|---|---|
Data Collection Method | Cloud APIs and disk snapshots | Agents installed on VMs |
Performance Impact | Minimal, no impact on VM performance | Potential impact due to agent running on VMs |
Setup | No installation required | Requires agent installation and maintenance |
Visibility | Broad, out-of-band analysis | Detailed, real-time monitoring |
Data Retention | Snapshots deleted after metadata extraction | Continuous data collection |
Vulnerability Assessment | Supported | Supported |
Configuration Analysis | Supported | Supported |
Threat Detection | Supported | Supported |
Secret Scanning | Supported | Supported |
Agentless scanning is automatically enabled when you onboard your VMs to either the Defender Cloud Security Posture Management (CSPM) plan or the Defender for Servers P2 plan. If you already have Defender for Servers P2 enabled and agentless scanning is turned off, you can easily enable it by following these steps:
Unlike agent-based scanning in Defender for Servers you can exclude servers from being scanned.
In this case, we are going to enable the agentless scanning from Microsoft Defender CSPM so this feature needs to be enabled
Next, click on the settings to configure Defender CSPM and we make sure the Agentless scanning for Machines is enabled.
Agentless scanning will be enabled for all the virtual machines but if you want to exclude virtual machines you click on Edit Configurations and exclude the virtual machines you want using exclusion tags
And for this demo, I have installed a “Dibizor” Mallware on a virtual machine it was detected by the Agentless Scanning Engine as shown in the following screenshot
Agentless scanning in Microsoft Defender for Cloud is a powerful tool that enables organizations to assess the security of their cloud environments without the need for installed agents or network connectivity. By providing broad visibility, deep analysis, vulnerability assessment, secret scanning, and malware detection, agentless scanning helps identify and mitigate security risks, ensuring the overall health and resilience of your cloud infrastructure.