Overview
With Blumira Agent and the Poshim (PowerShell Shim) install script, Blumira can receive event logs directly through the cloud within minutes, and without the need for a server or additional configurations. Devices running Blumira Agent (also called “agent devices”) send logs of remote activity on the Windows operating system to Blumira for detection and response. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.
Requirements
- You must be a Blumira Administrator or Manager to generate installation keys and scripts for Blumira Agent.
- You can install Blumira Agent on Windows machines that are running Windows XP 32-bit or higher.
- You must be a Windows administrator to run the installation script in PowerShell.
Before you begin
If your organization is actively blocking outbound traffic or using SSL interception, you must add the following URLs to your allowlist:
- URL used to download the agent:
https://dl.blumira.com/agent/files/blu_agent.exe - URL for shipping Windows and agent logs:
9157798c50af372c.lc.limacharlie.io:443 - Additional SSL Certificate Exclusion when using SSL decryption/interception:
rp_c2_dev
Installing the agent
Blumira’s Poshim script provides you with a simple process for installing and running Blumira Agent on your remote devices. Obtain a custom script in-app, then run the agent install script in an elevated PowerShell command prompt.
Note: If NXLog or Sysmon are found on the device, Poshim removes those from the device because they are not required for Blumira Agent and Windows endpoint logging. However, NXLog and Sysmon are included in the Poshim script when integrating with Windows machines without Blumira Agent.
You can create separate scripts with different installation keys, which is especially useful if you manage multiple devices as a group. How many keys you create depends on whether you want to manage the devices as one group for your entire organization or segment your agent deployment using multiple keys.
To create and gather a new installation script:
- Navigate to Blumira Agent > Installation.
- Under Generate agent installation script, click Select installation key.
- Click Create new installation key.
- In the Installation key details window, type a description and the number of devices on which you will use the key to install Blumira Agent.
Tip: Most organizations only need one key for all of their agent devices. Use one key for your total allowance unless you have a clear need for separate keys used on specific groups of devices. - Click Save changes.
- Click Copy to copy the custom installation script that appears.
- Run the script on the target device in an elevated PowerShell prompt.
Note: If your devices are using Threatlocker, ensure that you properly allow application installation before running the script, otherwise Threatlocker will stop it from completing successfully. See Threatlocker's instructions in Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool.
Validating that Blumira Agent installed successfully
After you run the Poshim install script, the Blumira Agent service runs in the machine’s Task Manager. The agent device also appears in the Devices table in the Blumira app.
To validate that Blumira Agent is installed:
- Verify that the installation status shows as “Successful” in PowerShell.
- Open Task Manager on the machine and search for the file or service using any of the following identifiers:
- Under the Details tab, find the running File Name “rphcp.exe”.
- Under the Services tab, find the service description “Blumira Agent” or service name “rphcpsvc”.
- Under the Processes tab, find the Task Manager human name “refractionPOINT HCP”.
- Under the Details tab, find the running File Name “rphcp.exe”.
- In the Blumira app, navigate to Blumira Agent > Devices.
- In the Devices table, find the row for the newly added agent device.
- In the Agent status column, verify that the device is “Online”.