LCE Windows Client Features
The LCE Windows Client is used to monitor events from many different channels on supported Windows platforms, including logs created by applications, and any Windows event logs. Additionally, the client can be configured to monitor text and binary files on a host, report on MD5 hash changes, monitor unknown processes, and scan for malware. Remote hosts can also be monitored.
Event and Text File Monitoring
Whenever a new event appears in a monitored Windows event log, the event is transmitted to the LCE server for normalization. In the case of monitored text files, each new line is transmitted. After the LCE server normalizes the event data, the data can be visualized using Tenable.sc. The LCE Windows Client can process files of all common encoding types, including UTF-8 and UTF-16.
Binary File and Unknown Process Monitoring
When a binary or executable file is monitored, if the MD5 checksum of the file changes, the old and new MD5 hashes are transmitted to the LCE server as an event. When unknown processes are monitored, you can configure the LCE Windows Client to report all unknown processes that are detected every time the client is restarted, or to report only newly-identified unknown processes.
When the LCE Windows Client is configured to scan for malware, it will check the MD5 checksums of all running processes, as well as any binary file that the LCE Windows Client is monitoring, and compare the checksums to the Tenable database of known malware. Any processes or files that are identified as malware will be reported to the LCE server as events. When malware scanning is enabled, the LCE Windows Client will use DNS queries to compare the MD5 checksums.