Installing the Endpoint Protection Solution

This article explains how to install Cato's Endpoint Protection (EPP) solution on your endpoints

Overview

Cato's EPP solution is installed on your endpoints to protect them from attack. The solution is associated with your account using a unique token and can be distributed to endpoints using a Managed Deployment Solution, or manually. The EPP solution is Cato's software that runs the EPP engines to identify malicious files or processes. It is independent of the Cato Client and does not connect to any Cato PoPs. A unique Token is used during the installation of the EPP Agent to associate it to your account.

Cato automatically upgrades the EPP solution when a new version is available.

Prerequisites

Before the EPP solution is installed on an endpoint, ensure it meets the following requirements:

  • The endpoint runs on Windows version 10 or higher

  • The endpoint has x86-64 architecture

  • Your account has an endpoint protection license

  • You know your account's Agent Token. Endpoints are only protected if the EPP solution is registered to an account with the Account Token. For more information, see Associating EPP to your Account.

  • No other anti-virus solution is running on the endpoint, running the EPP solution with other security software may impact the level of protection

    • Note: From EPP agent v1.1 and higher, during installation and start-up, the agent checks for other anti-virus solutions installed on the endpoint.

      • If another solution is found during installation, the Cato Agent does not complete the installation

      • If another solution is found during start-up, an error is displayed in the Cato Management Application

  • These installations are installed on the endpoint:

    • C++ Redistributable 2019 or newer

    • .NET 4.8 or newer

      Note: These are automatically installed with the .exe installer but not with the .msi installer

  • The endpoint can access these domains:

    • https://ep-registration.catonetworks.com

    • https://epp.catonetworks.com

    • https://cc2.catonetworks.com

    • https://socketlogs.catonet.works

    • https://client-telemetry.main.prod.k8s.catonet.works

    • https://cato-15a028ee-1898-449e-8dbe-7056f3093fa6.2d7dd.cdn.bitdefender.net

Distributing EPP to Endpoints

To distribute Cato's EPP solution to endpoints in your environment, Cato supports using a Mobile Device Management system. Cato's EPP Agent can also be manually installed.

Associating EPP to your Account

The Agent Token is a unique token for your account that is used during the installation process. The Agent Token associates the EPP Agent to your account.

Agent_Token.png

To show the Agent Token:

  1. From the navigation menu, click Security > Endpoint Protection.

  2. Click the Setting tab.

    The Agent Token is displayed

Note

Note: You can refresh your Agent Token by clicking the refresh button. After the token is refreshed there is no impact on endpoints already associated with your account. To associate new endpoints to your account, use the updated Agent Token.

Downloading EPP

You can download the EPP Agent to distribute or install it on the endpoints in your environment. An EXE and MSI version are available for download.

Note

Note: The EPP solution is only available with an additional license. For more information, contact your sales representative.

Download_Agent.png

To download EPP:

  1. From the navigation menu, click Access > Client Rollout.

  2. In the Windows EPP Client widget, click Download Client.

  3. Choose the file type to download.

    The EPP solution is downloaded.

Installing EPP with an MDM

To install EPP remotely, you can use a managed solution, for example, Microsoft Intune, to deploy the EPP solution to endpoints in your environment.

To install EPP with an MDM:

  • Use the following command to install EPP:

    • For the MSI version:

      msiexec.exe /i "<installer-path>" REGISTRATION_TOKEN=<Agent-Token>

    • For the EXE version:

      CatoEndPointProtection-<version>-win64.exe /q /l*v <logs-folder> REGISTRATION_TOKEN=<Agent-Token>

Installing EPP Manually

After you download the installation file, follow the steps in the Cato Endpoint Protection Setup Wizard. When prompted, insert the Agent Token.

Reviewing Protected Endpoints

After registering Endpoints with your Agent Token, the solution starts reporting data, for example:

  • The version used on each endpoint

  • The profile applied to each endpoint


To review protected endpoints:

  • From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen opens.

Understanding the Protected Endpoint Table Columns

The following table is an explanation of the columns in the Protected Endpoints table.

Column

Explanation

Endpoint ID

Unique ID of the EEP agent.

Endpoint Name

Computer name of the endpoint.

User

Last user to log into the endpoint. On shared devices, the user may change over time.

IP

IP address of the endpoint.

OS Version

Endpoint operating system.

EPP Version

Version of the EPP solution installed on the Endpoint.

Profile

EPP profile assigned to the Endpoint.

The clock symbol displayed in this column means the Endpoint has not yet received the EPP profile. The EPP profile is assigned the next time the endpoint is online.

Quarantine Files

Number of quarantined files on the endpoint.

Status

Status of the EPP solution. The possible statuses are:

  • Starting: The EPP solution is installing on the endpoint

  • Protected: The EPP solution is online and protecting the endpoint

  • Not Protected: The EPP solution has a Profile with Anti-Malware set to Monitor

  • Error: The EPP solution has an error. See EPP Troubleshooting for more information

Protecting Cato's EPP Solution

Cato's EPP has Anti-Tampering protection enabled by default. This protects the processes, files, services, and registries used by the EPP solution from malicious modifications or kill attempts. This also protects against unintentional end user actions that might compromise security.

Disabling Protection of EPP

You can temporarily unlock the Anti-Tamping protection for 15 minutes, for example, if you need to uninstall the solution. After this time, or if the endpoint is rebooted, Anti-Tampering protection is reenabled.

To unlock protection:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed.

  2. Click the three dots (Three_Dots.png) on the endpoint that you are unlocking protection.

  3. Click Unlock Anti-Tamper.

    Anti-tampering protection is temporally disabled.

EPP Troubleshooting

Errors may occur when installing EPP. Error messages are displayed in the Protected Endpoints table, under the Status column. If there is an error, the endpoint is not protected.

These are the error messages that could be displayed and how to resolve them:

  • Drivers are not installed correctly / Internal engine error: These errors mean that the solution has not been installed correctly and cannot run the EPP engine(s). To resolve this issue, contact Support.

  • Installation not complete: Ensure the device has c++redist 2019 or later installed and reboot. If this issue persists, contact Support

  • Error in module(s): atc/onaccess/selfprotect: There is an issue with the EPP engine(s). To resolve this issue, contact Support.

Understanding the End User Experience

The EPP solution is located in the Windows system tray and creates alerts for blocked activities according to the Protection level set in the Profile.

The EndPoint Protection Agent

image__3_.png

End users can use the Agent to confirm that the endpoint is protected and to display basic Statistics and Settings. For example the Profile and the engines that are running,

Anti-Malware and Behavioral Protection scans use minimal resources and are invisible to the end user.

System Alerts

2023-03-16_22-39-07.png

If malicious activity is identified on an endpoint a system alert is displayed to the end user. The alert displays the path of the malicious file and the file status. This information is also visible in Windows notifications.

Access to the file is determined by the Protection level set in the Profile.

Note

Note: To receive system alerts, the EEP solution must be open and Windows notifications enabled on the endpoint.

Removing EPP from an Endpoint

If EPP is no longer required on an endpoint, it can be uninstalled and, if necessary, deleted from your account. After the solution is uninstalled, the EPP engines cannot scan for malicious activity and no Events are reported. The endpoint remains on the Protected Endpoint page until it is deleted.

Uninstalling and Deleting an Endpoint

You can uninstall EPP from an endpoint and delete the endpoint from your account in a single action.

Note

Note: Supported from EPP Agent v1.1. If you try to delete and uninstall EPP Agent v1.0, no action is taken until the Agent is upgraded to v1.1.

To uninstall and delete an endpoint:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed

  2. Click on the three dots (Three_Dots.png) on the endpoint that you are deleting.

  3. Click Remove Endpoint.

    The Remover Endpoint dialog box is displayed.

  4. Click Remove Endpoint & Uninstall Agent.

    EPP is uninstalled from the endpoint and the endpoint is deleted from your account.

Uninstalling an Endpoint

You can uninstall EPP on an endpoint so that the EPP engines cannot scan for malicious activity and no Events are reported. Until the endpoint is deleted, it is visible on the Protected Endpoint page.

To uninstall an endpoint:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed

  2. Click on the three dots (Three_Dots.png) on the endpoint that you are uninstalling.

  3. Click Uninstall Agent.

    The Uninstall Agent dialog box is displayed.

  4. Click Uninstall Agent.

    EPP is uninstalled from the endpoint.

Deleting an Endpoint

If EPP is no longer installed on an endpoint, the endpoint can be deleted from the Protected Endpoint page.

Note

Note: Do not delete an endpoint from the Protected Endpoint page before EPP has been uninstalled.

To delete an endpoint:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed

  2. Click on the three dots (Three_Dots.png) on the endpoint that you are deleting.

  3. Click Remove Endpoint.

    The Remove Endpoint dialog box is displayed.

  4. Click Remove Endpoint.

    The endpoint is deleted from the Protected Endpoints page.

Was this article helpful?

2 out of 2 found this helpful

2 comments

  • Comment author
    Rudy FABULET

    Hello,

    I would like to know if there is a compatibility matrix for the different Windows client and server OS?

    Best Regards 

    Rudy

  • Comment author
    Michael Goldberg

    Hi Rudy FABULET,

    Compatibility requirements are generally listed as prerequisites.  For the Cato EPP agent, you can view this in the article above. For the Cato SDP Client, you can view this in the following article:  Installing the Cato Client 

Add your comment