US English (US)
ES Spanish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
ES Spanish
  • Home
  • AutoElevate Knowledgebase
  • New to AutoElevate? START HERE

System Overview – System Agent

Discover the key functions and roles of the System Agent!

Written by Owen Parry

Updated at July 27th, 2024

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • Changelogs for Autoelevate and Password Boss
  • Current Status
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
+ More

Table of Contents

How to Change Elevation Modes Elevation Modes Defined How to Change Blocker Modes Blocker Modes Defined Technician Mode The AutoElevate Agent Components The AutoElevate Blocker Component How to Update the Agent

The AutoElevate software is referred to as the "AutoElevate System Agent" and get's installed on each computer. It monitors, reports, and responds to all UAC privilege events and LOTL attacks. The AutoElevate Agent operates in either Audit, Policy or Live Elevation mode. In addition, there are Blocker Modes that operate in either Disabled, Audit or Live mode. Upon installation, Agents are placed in Audit for Elevation mode and Disabled for Blocker mode by default. This variable can be changed within the deployment script. 
 

How to Change Elevation Modes


In the Admin Portal (https://msp.autoelevate.com) from the Computers tab, select the check box next to the computer(s) you would like to change, and then from the Actions menu, select Set Elevation Mode to Live, Audit, or Policy under Elevation Mode. You are ready to test once the Agent checks in and picks up the setting (check-in happens every 10 minutes). Please click the "Refresh Data" button in the top right-hand corner to refresh your view, and then look at the 'Agent Mode' column to see if the Agents have picked up the new Agent mode setting. See the below image from the actions menu:



 

Elevation Modes Defined


  • Audit - All UAC events are logged, but the Agent does not respond to or apply defined rules and, therefore, no change to the user experience. 
     
  • Policy - Policy mode will apply and process any defined rules. Still, for any event with no corresponding rule, it will NOT invoke the Real-Time evaluation process but instead allow the UAC to appear to the user. Policy mode will allow an you to make and apply rules for critical applications with an immediate use case benefit. Still, it will not prompt the user or technician to evaluate anything unknown.
     
  • Live - All UAC events are intercepted, and rules that have been defined are applied (to either elevate with privilege or block). For any event with no corresponding rule, the end user will be given the choice to proceed with a privilege request. The privilege request causes any company-access technician to be notified and open a ticket (if you have an integrated PSA ticketing system). The technician is presented with information on who is making the request, what they are requesting, the basic security disposition of the machine, and whether the application or action they want is safe, along with the ability to respond to the user's request in real-time.  

     

How to Change Blocker Modes


In the Admin Portal (https://msp.autoelevate.com) from the Computers tab, select the check box next to the computer(s) you would like to change, and then from the Actions menu, select Set Blocker Mode to Live, Audit, or Disabled under Blocker Mode. You are ready to test once the Agent checks in and picks up the setting (check-in happens every 10 minutes). Please click the "Refresh Data" button in the top right-hand corner to refresh your view, and then look at the 'Blocker Mode' column to see if the Agents have picked up the new Agent mode setting. See the below image from the actions menu:

Note: These modes are found in the actions menu of the Computers screen. More on Blocker here.

 

Blocker Modes Defined


  • Disabled - The Agent's filter driver is not installed or is uninstalled if previously installed. As a result no Windows process is monitored in this state and no existing Blocker Rule is applied. Since Blocker is disabled there is no change in the user experience.
     
  • Audit - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent does not apply any defined Blocker Rules and, therefore, there is no change in the user experience. 
     
  • Live - The Agent's filter driver is installed. Windows process for binaries that are used in LOTL attacks are monitored and their usage is analyzed to generate Blocker Recommendations. The AE Agent blocks or allows Windows processes based on any defined Blocker Rules.

     

Technician Mode


This is a special mode that enables onsite Technicians to interact with the computer's UAC prompts. Please see the: Technician Mode documentation on our support site for a more in depth explanation. This is what the setting looks like below from the Computers Action's Menu:


 

The AutoElevate Agent Components


The components that make up the System Agent are the AutoElevate Agent service, which is set to start automatically at Windows startup and then spawns the AEAlert and AEUACAgent applications once a user is logged in.  When the AutoElevate Agent service is stopped, the computer resumes standard, UAC functionality, and UAC events are no longer tracked.  

Please take a look at the System Agent Installation document for more detailed instructions on Agent deployment options.
 

The AutoElevate Blocker Component


The component that makes up the Blocker is the AEAutoBlocker application which runs once Blocker is enabled in either Audit or Live mode. The filter driver is also not installed until Blocker is enabled. See more here: Managing Blocker.
 

How to Update the Agent


Updates are rolled out automatically depending on the state of your tenant. To update the agent, please see below from the Computers screen Actions menu:  

 

agent monitoring system analytics

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • AutoElevate Notify App Screen Guide
  • AutoElevate Notify App for Mobile Devices
  • Turn On And Control the UAC
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand