Windows-based Installation of the Config Scan Agent

Prerequisites

Supported operating systems
  • Windows PC: 10 and above (64-bit architecture)
  • Windows Server: 2019 and above (64-bit architecture)
Privileges required
  • Administrator privileges (for all non-admin users)
  • Read access, for input files
  • Execute access, for extracting service metadata
  • Write access, for the output folder in which the scan reports must be saved

Installation Instructions

  1. Login and download the latest Windows variant of the AppViewX Config Scan Agent from the release portal, in your Windows machine, as required.
    Release portal link: https://release.appviewx.com/downLoadArtifact?id=1822
    Note: This agent can be used to perform configuration scan, certificate scan, and network scan.
  2. Verify that the tar file has not been tampered with and is secure for use.
    1. Download the signature file from the release portal.
      https://release.appviewx.com/downLoadArtifact?id=1730
    2. Execute the following command: 
      openssl cms -verify -in /path/to/SIG-file -inform DER -binary -noverify -content /path/to/tar-file
      Here:
      • /path/to/SIG-file: Location of the signature file downloaded from the release portal
      • /path/to/tar-file: Location of the tar file downloaded from the release portal
  3. From the folder in which the tar was downloaded, to untar, execute the following command in powershell: 
    tar -xvf config-scan-agent-windows-v1.0.0-2026.1.tar.gz
    The AppViewX Config Scan Agent, config-scan-agent, is extracted from the zipped file.
    Note: If the utility file cannot be found via the powershell command in the Windows machine, then uncompress it directly from the UI.
  4. Save the AppViewX Config Scan Agent in all the endpoint machines where the configuration scan needs to be performed.
  5. Create the configuration file required to run the AppViewX Config Scan Agent. 
    .\config-scan-agent.exe --create-config
    Executing this command will display a series of prompts to set up the configuration scan (as shown in the image below); your responses to these prompts will be entered in the configuration file.
    Tip: For the full list of options available for configuring the AppViewX Config Scan Agent, execute the following command:
    .\config-scan-agent.exe --help
  6. Reply to the configuration prompts displayed.
    The prompts and their recommended responses are explained in detail here.
    Important: You will also be required to enter your service account details as part of the configuration file set up. Ensure that the service account is created and you have the required details. For instructions, see Configuring a Service Account to Send Reports to AppViewX.
    The prompt responses will be used to create the following two files in the working directory of the host machine: config.ini (configuration file) and secret.key (file containing the secret key for the encryption and decryption).
  7. To view the existing configuration, execute the following command in powershell: 
    .\config-scan-agent.exe --view-config <config_file_path> --secret-key <secret_key_path>
    Here:
    • <config_file_path>: Location of the configuration file
    • <secret_key_path>: Location of the secret key file
  8. To perform the config scan, execute the following command: 
    .\config-scan-agent.exe --config <config_file_path> --secret-key <secret_key_path> --log-dir <log_directory>
    Here:
    • <config_file_path>: Location of the configuration file
    • <secret_key_path>: Location of the secret key file
    • <log_directory>: Location of the file where the logs must be saved
    After the scan is completed:
    • Output reports (JSON/CSV/CycloneDX CBOM) will be saved in the output path provided in the configuration file.
    • If enabled, the output reports will be sent to AppViewX and the corresponding data will be displayed in the List of Scans inventory in the Quantum Trust Hub.
    • The configuration scan results will be displayed on the Configuration Scan Dashboard in the Quantum Trust Hub.
    • Depending on the response to the corresponding prompt, certificates discovered as part of the scan will be uploaded to the AppViewX certificate inventory, in the Monitored state.
    • Logs will be generated and saved in the working directory, by default.

      To save the logs in a custom log directory use the <log_directory>argument to specify the required location.

Additional Instructions

  • To update the contents of the configuration file:
    1. Execute the following command:
      .\config-scan-agent.exe --update-config <config_file_path> --secret-key <secret_key_path>
      The configuration prompts are displayed.
    2. Update the prompt responses as required.

      All updated values will overwrite the existing values.

  • To update only the service account details, execute the following command and update the prompt responses:
    .\config-scan-agent.exe --update-service-acc  <config_file_path> --secret-key <secret_key_path>
  • To set log levels, log directory, output directory use the options provided in the - -help option.For example:
    --log-level INFO ['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL']
--log-dir /path/to/log/dir
--output /path/to/output/dir
  • To rotate the secret key (by default generated every time a new configuration file is generated) used for encryption and decryption of the service account credentials and the configuration file, execute the following command:
    ./config-scan-agent.exe --rotate-key <secret_key_path> --config <config_file_path>
    Here, the --config argument is used to continue using the existing configuration file with the newly rotated secret key.