Deploying Darktrace Client Sensors

Threat Visualizer v5.0.22

Last Updated: June 28 2021

DEPLOYING DARKTRACE CLIENT SENSORS 2

Deploying Darktrace Client Sensors

Threat Visualizer v5.0.22

Darktrace cSensors 3

Requirements and Supported Platforms 4

Installing the Windows cSensor via CLI 5

Installing the Windows cSensor via the Installer 7

Installing the MacOS cSensor via CLI 8

Installing the MacOS cSensor via the Installer 9

Installing the Linux cSensor via CLI 10

Frequently Asked Questions 12

DEPLOYING DARKTRACE CLIENT SENSORS 3

Darktrace cSensors
Introduction
The Client Sensor (“cSensor”) extends the visibility of Darktrace’s Cyber AI Platform via endpoint agent software that
monitors devices’ network activity and delivers key data and metadata to the Enterprise Immune System. This can include
remote working devices and those that cannot be seen adequately using bulk network traffic mirroring or existing
Darktrace sensors. It is ideally used in combination with other Darktrace virtual sensors and deployment options to
achieve a combination of greater and simpler visibility.

cSensors, vSensors and osSensors

When selecting whether the cSensor is the appropriate type of the sensor for a remote device in your environment, it is
important to understand the advantages and disadvantages of each potential deployment option.

osSensors

The Darktrace cSensor and the osSensor are both host-based agents. However, the osSensor performs no on-host Deep
Packet Inspection - all traffic is duplicated to a local vSensor for processing and analysis - and cannot be deployed
standalone. This deployment scenario is unsuitable for remote workers as traffic is unencrypted - a vSensor is required
to securely communicate over untrusted networks - and forwarding all traffic may have bandwidth implications.

The cSensor instead communicates via a secure connection to Darktrace Cloud-based infrastructure, making it suitable
for remote devices. Bandwidth consumption by the cSensor is restricted by performing a combination of on-endpoint
DPI, therefore only transmitting processed metadata, and same cloud-based processing.

The most suitable host-based sensor will differ depending on the deployment scenario and the network device for
monitoring. Hypervisor and Cloud VMs will generally be better served by osSensors. The osSensor is available for a
larger range of operating systems than the cSensor and can be deployed in containerized environments. Unlike the
cSensor currently, the osSensor is Antigena-enabled.

vSensors

The Darktrace vSensor is a lightweight virtual probe intended for deployment in cloud-based networks or environments
where it is not feasible to deploy a physical probe, such as virtualized networks. vSensors can be deployed as a
standalone virtual machine receiving packets from a virtual switch, in a public cloud VPC traffic-mirroring scenario, or by
collecting packets from osSensor agents deployed on VMs to be monitored. vSensors are also Antigena-enabled.

The cSensor is suitable for remote workers or tiny offices where traffic mirroring is not viable, and can also potentially
see East/West traffic that may not be reaching existing mirroring locations. It can be installed on host machines via
existing device management systems and is much lighter for host-utilization. Compared to the vSensor, the cSensor
performs slightly less Deep Packet Inspection overall.

Conversely, vSensors can ingest and process physical network traffic in addition to virtualized with additional
configuration, providing monitoring for devices that cannot support a cSensor such as printers and videoconferencing
systems. In general, vSensors serve a different device profile than those best suited to a cSensor deployment.
DEPLOYING DARKTRACE CLIENT SENSORS 4

Requirements and Supported Platforms

Requirements
• An Enterprise Immune System deployments running Threat Visualizer v5.0 or above.

• The device monitored with the cSensor must be able to contact the cSensor infrastructure over HTTPS/443
for network traffic monitoring.

• For physical (hardware) Enterprise Immune System deployments, the master appliance must be able to
contact the cSensor infrastructure over HTTPS/443.

For virtualized Enterprise Immune System deployments, communication with the cSensor infrastructure is
handled by Darktrace operations.

Supported Operating Systems

Windows

• Windows 10, 8.1

• Windows Server 2019, 2016 and 2012R2

MacOS

• MacOS 11+, 10.15, 10.14

Linux

Supported distributions:

• Ubuntu 18.04+
• RHEL/Centos 7+
• Debian 9+
• openSUSE 15.0+/SUSE Linux Enterprise 12.4+
• Fedora (maintained versions)

The cSensor is expected to be compatible with most Linux-based distributions with a kernel version >= 4.6 , therefore,
the package may be effective on distributions outside those explicitly listed above. The only supported architecture is
x86_64 .

Host Utilization Requirements

• Bandwidth utilization is minimal, averaging <1kB/s.

• Negligible CPU impact, <30MB RAM usage

• Installation Packages: MacOS <30MB, Linux (all formats) <30MB, Windows <10MB

• Up to 30MB disk required.

DEPLOYING DARKTRACE CLIENT SENSORS 5

Installing the Windows cSensor via CLI

Prerequisites
For installation of the cSensor agent on Windows platforms, Darktrace provides an .msi software package. The .msi can
be installed on the command line with the command provided below. This requires three values to be provided as
variables:

• The FQDN of your dedicated cSensor cloud infrastructure ( FQDN ).

• The unique authentication token ( UNIQUE_KEY ).
• The identifier of the unique authentication key ( KEY_ID ).

These values will be provided directly by your Darktrace representative,or found on the Your Darktrace > Software
Downloads page of the Darktrace Customer Portal. If the values are not visible, click the  eye icon to reveal them.

If you are supplied with an authentication token in the format [#]:[#] , such as 1:45ibn6wls9i43m4bu4qrw9w3lc31cc19 ,
the number before the colon is the identifier of the unique authentication key ( KEY_ID ) and the string after the colon
is the unique authentication key ( UNIQUE_KEY ). In this example, KEY_ID=1 ,
UNIQUE_KEY=45ibn6wls9i43m4bu4qrw9w3lc31cc19

Command Line Installation Process

A command line install can be executed with the following base command:

msiexec /i Darktrace_cSensor.msi SERVER="[FQDN]" KEYID="[KEY_ID]" TOKEN="[UNIQUE_KEY]" [optional

parameters]

Where Darktrace_cSensor.msi is the downloaded installation package and the variables are as described above. The
first part of the command for installation (following msiexec ) must be /i followed by the path to the installation
package. Relational paths ( .\ ) to the .msi location are not supported on install or uninstall.

To make the install truly headless (no GUI installer) for mass installs, the /quiet flag can be added. For example:

msiexec /i Darktrace_cSensor.msi SERVER="[FQDN]" KEYID="[KEY_ID]" TOKEN="[UNIQUE_KEY]" /quiet

Please note, /quiet suppresses all prompts and will not report failure where fields are filled incorrectly. As an
alternative, /qb will install the cSensor with a minimal GUI and success/failure and any errors will be reported to the
user.

An additional option for installation is /norestart , which prevents the machine from restarting after successful install.
For example:

msiexec /i Darktrace_cSensor.msi SERVER="[FQDN]" KEYID="[KEY_ID]" TOKEN="[UNIQUE_KEY]" /qb /

norestart

Microsoft MECM/SCCM

If installation is intended for automated roll-out via Microsoft MECM/SCCM, omit msiexec /i . For example:

Darktrace_cSensor.msi SERVER="[FQDN]" KEYID="[KEY_ID]" TOKEN="[UNIQUE_KEY]"

This may also be necessary when installing via Microsoft InTune, depending on your organizational configuration.
DEPLOYING DARKTRACE CLIENT SENSORS 6

Worked Example

Information Provided

• FQDN: 4dg6u41a.live.darktracesensor.com
• Client Auth Information: 1:45ibn6wls9i43m4bu4qrw9w3lc31cc19

The client auth. information must first be subdivided into KEY_ID and UNIQUE_KEY . This produces:

• Key ID: 1
• Unique Token: 45ibn6wls9i43m4bu4qrw9w3lc31cc19

The installer can now be run in the format:

msiexec /i Darktrace_cSensor.msi SERVER="4dg6u41a.live.darktracesensor.com" KEYID="1"

TOKEN="45ibn6wls9i43m4bu4qrw9w3lc31cc19" /qb /norestart

Example 1 - minimal GUI and no restart

msiexec /i Darktrace_cSensor.msi SERVER="4dg6u41a.live.darktracesensor.com" KEYID="1"

TOKEN="45ibn6wls9i43m4bu4qrw9w3lc31cc19" /quiet /norestart

Example 2 - no GUI and no restart

Information about uninstallation can be found in the FAQ.

DEPLOYING DARKTRACE CLIENT SENSORS 7

Installing the Windows cSensor via the Installer

Prerequisites
Before proceeding, ensure you have three important pieces of information:

• The FQDN of your dedicated cSensor cloud infrastructure.

• The unique authentication token.
• The identifier of the unique authentication token.

These values will be provided directly by your Darktrace representative,or found on the Your Darktrace > Software
Downloads page of the Darktrace Customer Portal. If the values are not visible, click the  eye icon to reveal them.

If you are supplied with authentication information in the format [#]:[#] , such as
1:45ibn6wls9i43m4bu4qrw9w3lc31cc19 , the number before the colon is the identifier of the unique authentication
token and the string after the colon is the unique authentication token. In this example, the Key ID is 1 and the Token
is 45ibn6wls9i43m4bu4qrw9w3lc31cc19 .

Installation Process
1. Download the cSensor .msi file provided by Darktrace. Double-click on the file to launch the installation
wizard.

2. In the installation dialog, proceed through to the “Configuration” page. This is where the three important
values described above must be entered.

In the Server IP/Hostname field, enter the FQDN of your dedicated cSensor cloud infrastructure. For
example, 4dg6u41a.live.darktracesensor.com

In the Agent Key ID field, enter the identifier for your unique token. For example, 1 .

In the Agent Authentication Token field, enter your unique organizational authentication token, for example
45ibn6wls9i43m4bu4qrw9w3lc31cc19 .

3. Click “Next”. Optionally modify the default install path, then ensure the installation is for everyone.

4. Click “Next” and allow the application to install.

Installation is now complete.

Information about uninstallation can be found in the FAQ.

DEPLOYING DARKTRACE CLIENT SENSORS 8

Installing the MacOS cSensor via CLI

Prerequisites
Before proceeding, ensure you have three important pieces of information:

• The FQDN of your dedicated cSensor cloud infrastructure.

• The unique authentication token.
• The identifier of the unique authentication token.

These values will be provided directly by your Darktrace representative,or found on the Your Darktrace > Software
Downloads page of the Darktrace Customer Portal. If the values are not visible, click the  eye icon to reveal them.

If you are supplied with authentication information in the format [#]:[#] , such as
1:45ibn6wls9i43m4bu4qrw9w3lc31cc19 , the number before the colon is the identifier of the unique authentication
token and the string after the colon is the unique authentication token. In this example, the Key ID is 1 and the Token
is 45ibn6wls9i43m4bu4qrw9w3lc31cc19 .

Installation Process
To install the Darktrace cSensor application remotely or via the command line, the steps required are as follows:

1. Copy the install package onto the target device. The install package has the naming syntax
“darktrace_csensor_v[X].[Y].[Z]-[#].pkg”, where the placeholders in the cSensor package name will differ
between packages as the software version increments.

2. In the same location as the package on the target device, create a configuration file named “config.csensor”.
This file must contain the important pieces of information outlined above:

◦ The FQDN of your dedicated cSensor cloud infrastructure ( FQDN ).

◦ The unique authentication token ( UNIQUE_KEY ).
◦ The identifier of the unique authentication token ( KEY_ID ).

The values must be formatted in one line, colon-separated at the top of the file:

FQDN:UNIQUE_KEY:KEY_ID

For example:

4dg6u41a.live.darktracesensor.com:45ibn6wls9i43m4bu4qrw9w3lc31cc19:1

3. Install the package with the installer utility using the command:

sudo installer -pkg [path-to-package] -target /

Optionally, add the -verbose flag for install logging.

4. Remove the “config.csensor” and package files.

To update an existing installed Darktrace cSensor application remotely or via the command line, without changing
configuration, copy the new version to the target device. Install the package with the installer utility using the command
sudo installer -pkg <path to package> -target / with/without the optional -verbose flag. Remove the package
file after completion.

Reinstallation is required if FQDN , UNIQUE_KEY or KEY_ID change. Uninstall the package first before attempting
reinstall. Information about uninstallation can be found in the FAQ.
DEPLOYING DARKTRACE CLIENT SENSORS 9

Installing the MacOS cSensor via the Installer

Prerequisites
Before proceeding, ensure you have three important pieces of information:

• The FQDN of your dedicated cSensor cloud infrastructure.

• The unique authentication token.
• The identifier of the unique authentication token.

These values will be provided directly by your Darktrace representative,or found on the Your Darktrace > Software
Downloads page of the Darktrace Customer Portal. If the values are not visible, click the  eye icon to reveal them.

If you are supplied with authentication information in the format [#]:[#] , such as
1:45ibn6wls9i43m4bu4qrw9w3lc31cc19 , the number before the colon is the identifier of the unique authentication
token and the string after the colon is the unique authentication token. In this example, the Key ID is 1 and the Token
is 45ibn6wls9i43m4bu4qrw9w3lc31cc19 .

Installation Process
1. Download the cSensor .dmg file provided from the customer portal or your Darktrace representative.
Double-click on the .dmg file to open a new window containing the package.

2. In this new window, double click the ‘install’ package to launch the installation wizard.

3. In the installation dialog, proceed through the “Introduction” to the “Settings” page. This is where the three
important values described above must be entered.

In the Server field, enter the FQDN of your dedicated cSensor cloud infrastructure. For example,
4dg6u41a.live.darktracesensor.com

In the Key ID field, enter the identifier for your unique token. For example, 1 .

In the Token field, enter your unique organizational authentication token, for example
45ibn6wls9i43m4bu4qrw9w3lc31cc19 .

4. Click “Continue” and proceed. If prompted, provide admin credentials to approve the installation.

5. Click “Install” and allow the package to install.

6. Optionally allow the wizard to delete the installation package after successful install.

7. Open a Finder window and eject the .dmg file.

Installation is now complete.

Information about uninstallation can be found in the FAQ.

DEPLOYING DARKTRACE CLIENT SENSORS 10

Installing the Linux cSensor via CLI

The cSensor is provided in .deb and .rpm formats to be installed using the relevant distribution’s package manager.
Automatic updates will be provisioned outside the scope of the package manager, but will be removed correctly on
uninstallation.

The cSensor is run as a systemd service, configured to always be running.

COMPONENT LOCATION

cSensor executable /var/lib/darktrace-csensor/current/darktrace-csensor

Default log file /var/log/darktrace-csensor/info.log

Prerequisites
Installation requires three values to be provided as variables:

• The FQDN of your dedicated cSensor cloud infrastructure ( FQDN ).

• The unique authentication token ( UNIQUE_KEY ).
• The identifier of the unique authentication key ( KEY_ID ).

These values will be provided directly by your Darktrace representative, or found on the Your Darktrace > Software
Downloads page of the Darktrace Customer Portal. If the values are not visible, click the  eye icon to reveal them.

If you are supplied with an authentication token in the format [#]:[#] , such as 1:45ibn6wls9i43m4bu4qrw9w3lc31cc19 ,
the number before the colon is the identifier of the unique authentication key ( KEY_ID ) and the string after the colon
is the unique authentication key ( UNIQUE_KEY ). In this example, KEY_ID=1 ,
UNIQUE_KEY=45ibn6wls9i43m4bu4qrw9w3lc31cc19

Installation Process
To install the Darktrace cSensor application via the command line the steps required are as follows:

1. Copy the install package onto the target device.

2. Create a configuration file at /etc/darktrace-csensor/setup . This file must contain the important pieces of
information outlined above:

◦ The FQDN of your dedicated cSensor cloud infrastructure ( FQDN ).

◦ The identifier of the unique authentication token ( KEY_ID ).
◦ The unique authentication token ( UNIQUE_KEY ).

Values should be separated by newlines, in the format:

FQDN
KEY_ID
UNIQUE_KEY

For example:

4dg6u41a.live.darktracesensor.com
1
45ibn6wls9i43m4bu4qrw9w3lc31cc19
DEPLOYING DARKTRACE CLIENT SENSORS 11

3. Create a configuration file, located at /etc/darktrace-csensor/config.cfg to contain any optional

configuration settings.

For example:

#Path to certificate bundle for SSL connections.

#The cSensor will search in default locations for standard distributions.
cacerts-path=/etc/ssl/certs/ca-certificates.crt

#Proxy for requests.

#Use 'proxy=' to specify no proxy should be used. Default port if not specified is 1080
proxy=http://proxy.example.com:3128/

#Log rotation options.

#Logs will be rotated up to log-max-files times.
#Rotation will occur if current log file size exceeds log-file-size-mb MB.
log-max-files=4
log-file-size-mb=10

4. Install the package with the appropriate command for the package type, for example
sudo apt install <path to package> or sudo yum install <path to package>

Exact installation output will depend on package manager used for installation. On successful installation, a
line stating

Successfully configured Darktrace cSensor

should be present in the command output.

The setup file at /etc/darktrace-csensor/setup should be automatically removed on successful installation. The
package file itself can be manually removed.

The configuration file can be modified after installation but the service must be restarted (e.g., with
sudo systemctl restart darktrace-csensor.service ).

To modify setup variables such as the FQDN or UNIQUE_KEY , the cSensor must be uninstalled and reinstalled.

Troubleshooting

If package installation fails, it is recommended to remove the package before attempting installation again using the
appropriate command for the distribution’s package manager. For example:

sudo apt remove darktrace-csensor or sudo yum remove darktrace-csensor

To check cSensor operation, the default log file location is /var/log/darktrace-csensor/info.log . Standard
systemctl / journalctl commands are supported for darktrace-csensor.service .

Proxy Settings

The cSensor will search for proxy settings in the following locations in priority order:

1. Configuration file at /etc/darktrace-csensor/config.cfg

2. https_proxy environment variable for root user

3. HTTPS_PROXY environment variable for root user

Currently, the no_proxy environment variable is not supported - if the target server requires no proxy but a proxy is
taken from the environment, adding the following line to the configuration file will force direct access.

proxy=
DEPLOYING DARKTRACE CLIENT SENSORS 12

Frequently Asked Questions

How are updates handled?

Updates are available via two channels: manual and automated. Manual updates can be handled by your existing
organizational device management systems for device applications. Automated updates are provided from Darktrace
infrastructure and, like the Enterprise Immune System, are available in two tracks - Stable and Early Adopter.

For the Linux cSensor, automatic updates are provisioned outside the scope of the package manager.

How do I uninstall the agent?

Windows

• For GUI uninstallation, the “Settings > Apps” or “Add or Remove Programs” dialogs can be used to remove
the application.

• CLI uninstall can be performed with msiexec /x Darktrace_cSensor.msi /norestart /quiet . Please note,
relational paths ( .\ ) to the .msi location are not supported on install or uninstall.

MacOS (current - v1.1.0+ installs)

• For CLI installations, copy the relevant uninstall package onto the target device. The package has the naming
syntax “uninstall_csensor_v[X].[Y].[Z]-[#].pkg”, where the placeholders in the package name will differ
between packages as the software version increments. Remove the package with the installer utility using
the command sudo installer -pkg [path to package] -target / with the optional -verbose flag for
logging. Remove the uninstall package afterwards.

• For GUI installs, the uninstall package is providing within the initial .dmg file. Double-click on the .dmg file
to open a new window containing the packages, then double click the ‘uninstall’ package to launch the
uninstallation.

MacOS (legacy - v1.0.# series installs)

Please note, if a v1.0.# series install has been upgraded to v1.1.0+, please follow the steps described above.

• For CLI installs, the uninstall_csensor_agent.sh shell script is provided. The script should be run without
arguments - sudo sh uninstall_csensor_agent.sh - on the device where the agent is installed.

• For GUI installs, the “Darktrace cSensor” application icon should be dragged from the Applications folder
into the Trash or Bin.

Linux

• To remove the cSensor, run the appropriate uninstallation command for the package type installed with the
target darktrace-csensor :

sudo rpm -e darktrace-csensor

sudo dpkg -r darktrace-csensor

Optionally the command may require a modification to completely remove configuration, for example:

sudo dpkg -P darktrace-csensor

In some instances, uninstallation will produce many warnings of the form:

DEPLOYING DARKTRACE CLIENT SENSORS 13

warning: file <path>: remove failed: No such file or directory

This is caused by installed files being created/deleted during normal operation and cleaned up before the package
manager expects them to be. Warnings of this format can be safely ignored.

Where can I find logs for troubleshooting?

If relevant logs are requested by your Darktrace representative or a member of Darktrace support, these can be found in
the following locations for each operating system.

Windows

Installation logs - AppData/Local/Temp/DtcsInstall.log

Operating logs - ProgramData/Darktrace/cSensor/csensor.log

MacOS

Installation logs can be found in the generic /var/log/install.log . This log will contain from other services, so only
the loglines relevant to the cSensor service can be extracted and other lines discarded if preferred.

Operating logs - /var/log/com.darktrace.csensor/com.darktrace.csensor.agent.log

Linux

Exact installation output will depend on package manager used for installation. Relevant information should be outputted
when the install command is run.

Operating logs can be found at /var/log/darktrace-csensor/info.log . Standard systemctl / journalctl

commands are also supported for darktrace-csensor.service .

How will cSensors appear on my deployment?

Devices monitored by cSensors are aggregated by country and displayed on the Threat Visualizer world map
accordingly. Monitored devices will display a cSensor icon in the omnisearch bar to indicate the data source and will
show additional information on hover including the OS and installed agent version.

How does device tracking work?

cSensor-monitored devices are modeled as distinct entities by a unique identifier. Traffic on multiple interfaces (such as
concurrent Wifi and Ethernet connections) is modeled together as part of the single entity. cSensor devices are currently
aggregated into per-country groups, rather than subnets. Device tracking options are not available for these groups.

If network traffic is seen for a monitored device via a different source - for example, a remote worker visits a satellite
office and connects to the wifi - traffic will not be deduplicated.
DEPLOYING DARKTRACE CLIENT SENSORS 14

How does Advanced Search data differ from other traffic monitoring methods?

For long-lived connections, in its current implementation, the cSensor performs deep packet inspection analysis on the
connection start. Advanced Search data for these connections will be incomplete for connection history and total data
transfer over the connection lifetime. Records for short-lived or encrypted connections such as DNS and SSL will be
complete.
US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 [email protected] darktrace.com