1. Blumira Support
  2. Deploying Blumira
  3. Blumira Agent

Quick Links

Installing Blumira Agent on a remote device

Overview

With Blumira Agent and your customized install script, Blumira can receive event logs directly through the cloud within minutes and without the need for a server or additional configurations. Devices running Blumira Agent send logs of remote activity on a Windows, Mac, or Linux operating system to Blumira for detection and response. Additionally, Blumira Agent allows you to temporarily isolate a suspicious or vulnerable host while you determine the next steps in a detection event.

Supported platforms

Blumira Agent can run on the following platforms:

  • Windows XP 32-bit or higher (excludes ARM)
  • x86_64 Linux distributions that use the apt or yum package manager
  • all versions of MacOS 10.7 and up 

Before you begin

If your organization is actively blocking outbound traffic or using SSL interception, you must add the following URLs to your firewall's allowlist so the agent can connect successfully to Blumira:

  • URLs used to download the agent:
    • Windows:
      https://dl.blumira.com/agent/files/blu_agent.exe
    • Linux:
      https://dl.blumira.com/blumira_linux_agent.sh
    • Mac:
      https://dl.blumira.com/blumira_macos_agent.sh
  • URL for shipping agent logs:
    9157798c50af372c.lc.limacharlie.io:443
  • In some cases, allowlisting the IP address for shipping agent logs is necessary:
    35.194.62.236
  • Additional SSL Certificate Exclusion when using SSL decryption/interception:
    rp_c2_dev

If you have not added the above to your allowlist and the installation of the agent fails, you can run this command to see if something is blocking or intercepting the SSL Certificate for the agent:

test-netconnection -computername "9157798c50af372c.lc.limacharlie.io" -port "443"

If the output confirms that traffic is being blocked, ensure that you add the above URLs to your firewall allowlist.

Installing the agent

Required: You must be a Blumira Administrator or Manager to generate installation keys and scripts for Blumira Agent.

Blumira’s agent installation scripts provide a simple process for installing and running Blumira Agent on your remote endpoints. Obtain a custom script in-app, then run the agent install script in an elevated command prompt on the devices you want to collect logs from.

Notes:

  • If NXLog or Sysmon are found on the device, the Poshim script removes those from the device because they are not required for Blumira Agent and Windows endpoint logging. However, NXLog and Sysmon are included in the Poshim script when integrating with Windows machines without Blumira Agent.
  • If your devices are using Threatlocker, ensure that you properly allow application installation before running the script, otherwise, Threatlocker will stop it from completing successfully. See Threatlocker's instructions in Using Learning Mode to Track Installed Files from an RMM or Software Deployment Tool.

To create and gather a new installation script:

  1. Navigate to Blumira Agent > Installation.
  2. Under Generate agent installation script, click Select installation key.
  3. If you already have an installation key in the app, select the installation key from the options; otherwise, click Create new installation key then type a description and the number of devices on which you will install Blumira Agent using the new key.
  4. Under Select platform, select the OS platform you plan to install the agent on.
    Screenshot 2023-09-25 at 3.24.18 PM.png
  5. Click Copy to copy the custom installation script that appears in the box.

To run the script directly on the device, complete the following steps according to the platform selected:

Platform Steps
Windows

After logging in to the Windows device as an administrator, paste the agent installation script into an elevated PowerShell prompt and press Enter. The script will perform all installation steps automatically.


As an alternative option, you can run a Windows installer and pass the installation key by following the steps in Installing via MSI.

 

Recommended: In addition to the logs that are enabled by default in Windows, Blumira recommends deploying Logmira, our group policy object (GPO) template for advanced logging. This GPO enables about 100 additional types of Windows logs, enhancing our detection and logging capabilities. Tip: If you want to test some of the detections available for Blumira Agent logs, see our test procedures in Testing detections for remote Windows logs.
Linux

On a Linux device, paste the agent installation script into your Linux terminal and press Enter. The script will perform all installation steps automatically.

 

Tip: If you want to test some of the detections available for Blumira Agent logs, see our test procedures in Testing detections for Mac or Linux logs collected by Blumira Agent.
Mac

On a Mac device, complete the following as sudo or with root privileges:

  1. Open Terminal and paste the agent installation script into the command line then press Enter.
  2. The application RPHCP.app installs and launches automatically.
  3. In the permissions window that appears, click Install to continue the full installation.
    Screenshot 2023-10-04 at 8.49.32 AM.png
  4. In the RPHCP window that appears below the System Extension Blocked window, click Open Security Preferences.
    Screenshot 2023-10-04 at 8.51.22 AM.png
  5. Allow permissions by doing the following, depending on the OS version of the device:
    • If the device is running an older version of macOS (not version 15, Sequoia), unlock the General preferences in the Security & Privacy window, then click Allow next to “System software from application "RPHCP" was blocked from loading.”
      Screenshot 2023-10-04 at 8.52.13 AM.png
    • If the device is running macOS 15 (Sequoia), do the following:
      • Navigate to General > Login Items & Extensions > Extensions > RPHCP and click the info (i) icon next to the name.
      • Click the toggle to slide it to the right, in the enabled position, then click Done.
        Screenshot 2024-10-29 at 11.11.23 AM.png
  6. In the “RPHCP" Would Like to Filter Network Content window, click Allow.
    Screenshot 2023-10-04 at 8.59.44 AM.png
  7. When prompted to grant the application full disk access (Security & Privacy > Privacy > Full Disk Access), click the check box or slider next to RPHCP.
    Screenshot 2023-10-04 at 9.00.37 AM.png
    Screenshot 2023-10-04 at 9.02.30 AM.png
  8. After the “Installation was successful” window appears, click OK.
Note: You can deploy the agent to your Mac devices using an MDM solution by referencing LimaCharlie’s example configurations and preferences for silent installation in macOS Sensor Installation - MDM Configuration Profiles.
Tip: If you want to test some of the detections available for Blumira Agent logs, see our test procedures in Testing detections for Mac or Linux logs collected by Blumira Agent.

Verifying that Blumira Agent is connected 

To verify that Blumira Agent is installed and connected to Blumira, do the following:

  1. In the Blumira app, navigate to Blumira Agent > Devices.
  2. In the Devices table, find the row for the newly added agent device.
  3. In the Agent status column, verify that the device is “Online”.

If you do not see the device connected to Blumira, you can verify if the agent is running on the device by doing one of the following:

Platform Steps
Windows Open Task Manager and search for the file or service using any of the following methods:
  • Under the Details tab, find the running File Name “rphcp.exe”.
  • Under the Services tab, find the service description “Blumira Agent” or service name “rphcpsvc”.
  • Under the Processes tab, find the Task Manager human name “refractionPOINT HCP”.
Mac Find and run the app RPHCP from the Applications folder. A message will appear to confirm if the required permissions have been granted.
Linux In the Linux terminal, run this command:
sudo systemctl status blumira_agent

 

If you have confirmed the agent is running on the device, but you do not see any logs reaching Blumira, verify that your account has not already reached the maximum number of agents allocated for your license. If you have already reached your maximum, the agent will not be able to connect to Blumira to send logs. You will need to either remove old agents that are no longer needed or increase your agent limit to ensure the recently installed agent can connect.

Additional Windows logging recommendations

For the best logging experience, you must also deploy the Logmira GPO and, if your organization uses Windows IIS, enable logging to ensure you send those logs to Blumira. See Getting started with Blumira Agent for Windows endpoints for more details.

Related Articles