Agent Watcher

Agent Watcher allows you to proactively monitor the status of selected LANDesk Management Suite agent services and files in order to ensure their integrity and preserve proper functioning on managed devices. Agent Watcher can be enabled and associated settings deployed with an initial device agent configuration. It can also be updated at any time without having to perform a full agent configuration.

Agent Watcher not only monitors critical services and files, but can also restart terminated services, reset services set to automatic startup, restore files that are pending delete on reboot, and report evidence of file tampering back to the core server.

Read this section to learn about:

Agent Watcher overview
Monitoring services
Monitoring files
Enabling and configuring Agent Watcher
Agent Watcher settings help
Using Agent Watcher reports

Agent Watcher overview

Agent Watcher monitors LANDesk Management Suite agent services and files specified by a device's Agent Watcher settings.

Agent Watcher settings also determine how often to check the status of agent services and files, whether Agent Watcher remains resident on devices, and whether to check for changes to the applied settings.

By default, Agent Watcher is turned off. You can enable Agent Watcher with an agent configuration or, at a later time, with a separate Update Agent Watcher settings task. In other words, you don't have to enable Agent Watcher during a device's initial configuration. It can be done at any time directly from the console for one or more managed devices.

When monitoring services and files, Agent Watcher performs the recuperative actions listed below.

Monitoring services

The following agent services can be monitored:

Local scheduler
Antivirus
Remote Control
Software Monitoring
Targeted Multicast
USB Monitor

NOTE: Services you're not deploying should not be selected for Agent Watcher monitoring
When configuring Agent Watcher settings, don't select services you don't intend to install on target devices. Otherwise, the core server will receive alerts for services not being installed that weren't installed on purpose. However, note that even if a service that isn't installed is selected to be monitored, alerts are not sent saying that the service can't be restarted or that its startup type can't be changed.

When monitoring agent services, Agent Watcher:

Restarts services when they shut down (one time)
Changes the service's startup type back to automatic when the startup type is changed
Sends alerts to the core server when services are not installed
Sends alerts to the core server when services can't be restarted
Sends alerts to the core server when a service's startup type can't be changed back to automatic

Monitoring files

The following files can be monitored:

Ldiscn32.exe
Vulscan.dll
Vulscan.exe
Sdclient.exe
Usbmon.exe
Usbmon.ini

When monitoring files, Agent Watcher:

Removes files from the registry that are scheduled for deletion upon reboot
Sends alerts to the core server when the files are scheduled for deletion upon reboot
Sends alerts to the core server when the files have been deleted

Supported device platforms and system requirements

Agent Watcher supports most of the same platforms supported by Management Suite, including the following operating systems, listed with minimum software and hardware requirements:

Microsoft Windows XP 64-bit Professional
(Intel Pentium 64-bit processor or compatible; 128 MB of RAM recommended; 72 MB available on HDD to install)
Windows 2000 Professional
(SP2 and higher; 133 MHz Intel Pentium processor or compatible; 96 MB of RAM recommended; 50 MB available on HDD to install)
Microsoft Windows XP Professional
(Microsoft Internet Service Pack 2.0 or higher; 300 MHz Intel Pentium processor or compatible; 128 MB of RAM recommended; 72 MB available on HDD to install)

Enabling and configuring Agent Watcher

The Agent Watcher utility is installed with the standard Management Suite agent, but it is turned off by default.

Agent Watcher can be activated through the initial device agent configuration, or at a later time via an Update Agent Watcher settings task.

Enabling Agent Watcher on devices

To enable Agent Watcher during agent configuration

In the console, click Tools > Configuration > Agent Configuration.
Click the New Windows toolbar button.
After specifying your desired settings for the agent configuration, click the Security and Compliance group, and then click Agent Watcher to open that page on the dialog.
Check Use Agent Watcher.
Select one of the settings from the available list to apply it to the agent configuration you're creating. You can create new settings or edit existing settings. The applied settings determine which services and files are monitored and how often, and whether the Agent Watcher executable remains resident in memory on monitored devices.
Finish specifying settings for the agent configuration and then click Save.

If you want to activate Agent Watcher (or update Agent Watcher settings) at a later time, you can do so for one or more managed devices directly from the console.

Using Agent Watcher settings

Use Agent Watcher settings to determine which services and files are monitored, how often to check the status of services and files, whether Agent Watcher remains resident on devices, and whether to check for changes to the applied settings.

To enable Agent Watcher (or update settings) as a separate task

In the console, right-click one or more devices, and then click Update Agent Watcher settings.
Check Use Agent Watcher.
Select one of the settings from the available list to apply it to the agent configuration you're creating. You can create new settings or edit existing settings. The applied settings determine which services and files are monitored and how often, and whether the Agent Watcher executable remains resident in memory on monitored devices.
Click OK.

Once you click the OK button, all the selected target devices are updated with the new settings, and a status message appears.

Disabling Agent Watcher on devices

You can also disable Agent Watcher for one or more devices with the Update Agent Watcher task.

To disable Agent Watcher

In the console, right-click one or more devices, and then click Update Agent Watcher settings.
Make sure the Use Agent Watcher check box is cleared
Click OK.

Agent Watcher settings help

This section contains the following online help that describes Agent Watcher dialog boxes.

About the Configure Agent Watcher settings dialog box

Use this dialog box to manage your settings. Once configured, you can apply settings to managed devices through an agent configuration or a change settings task.

Agent Watcher allows you to create multiple settings that can be applied to devices or device groups.

This dialog box contains the following options:

New: Opens the settings dialog box where you can configure the options.
Edit: Opens the settings dialog box where you can modify the selected settings.
Copy: Opens a copy of the selected settings as a template, which you can then modify and rename.
Delete: Removes the selected settings from the database.
Close: Closes the dialog box, without applying any settings to the task.

About the Agent Watcher settings dialog box

Use this dialog box to create and edit Agent Watcher settings.

Agent watcher settings determine which services and files are monitored and how often, as well as whether the utility remains resident on the device.

This dialog box contains the following options:

Name: Identifies the settings with a unique name.
Agent Watcher remains resident: Indicates whether the LDRegwatch.exe (Agent Watcher executable) remains resident in memory all of the time. If you don't select this option, LDRegwatch.exe remains in memory only long enough to check the selected services and files at the scheduled time.
Monitor these services: Specifies which critical services will be monitored with the Agent Watcher settings.
Monitor these files: Specifies which critical files will be monitored with the Agent Watcher settings.
Polling interval: Specifies how often you want Agent Watcher to monitor the selected services and files. The minimum value for this interval is 30 seconds.
Check for changes to these settings on the core server: Automatically compares the current version of the selected Agent watcher settings with the one deployed to target devices (at the interval specified below). If the settings have been modified during that time span, the new settings are deployed and Agent Watcher is restarted with the new settings.
- Interval to check: Specifies the time period of the recurring comparison of Agent Watcher settings.

About the Update Agent Watcher settings dialog box

Use this dialog box to update Agent Watcher settings on target devices, and to enable or disable the Agent Watcher utility on target devices.

If Agent Watcher is not active on the selected workstations, select the Use Agent Watcher check box, configure the Agent Watcher settings, and then click OK. Agent Watcher will be activated after the configuration is pushed down to the selected devices. To change which files or services are monitored, click the Configure button to display the Agent Watcher Settings dialog box.

With the Update Agent Watcher Settings dialog box you can also deactivate the Agent Watcher by clearing the Use Agent Watcher check box and clicking OK.

This dialog box contains the following options:

Use Agent watcher: Enables the Agent watcher service on target devices.
Choose an Agent Watcher setting: Specifies which setting is used for the task. Select one of the settings from the list, or click Configure to create new settings.

Once the OK button is selected, all the selected devices are updated with the new settings, and a status message appears.

Using Agent Watcher reports

Agent Watcher monitoring and alerting information is represented by several reports in the Reports tool.

All the Agent Watcher reports include the hostname of the workstation, the monitored service or file, the status of the alert (either found or resolved), and the date the event was discovered.

Agent Watcher saves the state of the alerts so that the core will only get one alert when the condition is found and one alert when the condition is resolved. Multiple alerts may occur when Agent Watcher is restarted in order to reboot the system, or when a new configuration is pushed or pulled down to the workstation.

Reports can also be generated for a given category based on different time intervals, such as today, last week, last 30 days, or another specified interval.

NOTE: Agent Watcher alert data automatically removed after 90 days
All Agent Watcher alerts over 90 days old are automatically removed from the database. Alert data is used to generate Agent Watcher reports.

In order to access the Reports tool, and generate and view reports, a user must have the LANDesk Administrator right (implying full rights) and the specific Reporting roles.

For more information about using the Reports tool, see Reports.

Agent watcher reports

The Agent Watcher reports are listed below:

Failed to change the service type

This report lists all the Agent Watcher alerts from workstations that are unable to change the startup type of a monitored service.

Required services not installed

This report lists all the Agent Watcher alerts from workstations where a monitored service has been uninstalled.

Required services not started

This report lists all the Agent Watcher alerts from workstations where a monitored service can't be restarted by the Agent Watcher.

Files not found on clients

This report lists all the Agent Watcher alerts from workstations where monitored agent files have been deleted.

Pending delete files found on client

This report lists all the Agent Watcher alerts from workstations where the monitored agent files have been scheduled to be deleted upon reboot. Agent Watcher also automatically removes these files from the Windows registry so they will not be deleted.