Immediate Online scan

[Hemo2]

I have a few questions about the flow of information when doing scans. (More specifically the amount of data that is transfered.) When I do an immediate online scan, and it installs the remote service and does the remote scan, what all is getting transferred and copied back and forth?

 

Here's my understanding of it as it occurs simply by observing the process.

 

- I run TNI and do an immediate online scan and select multiple computers to scan.

- TNI then contacts the remote computer and copies a file and remotely installs a service on the remote pc to initiate the scan.

- The remote process scans and finishes and reports back the info to my computer that I'm running the scan on and then it removes itself from the remote pc.

 

My questions are:

 

- What file gets copied to the remote pc? Is it tniaudit.exe?

- During the scan when I'm sitting at my computer running the immediate online scan, TNI will provide updates such as "copying file", "scanning (software)", etc. How often is TNI contacting the remote computer to get these updates and is this an amout of data of any size?

- Once the remote scan finishes and sends back the data to my pc, how is this accomplished? Does the remote tniaudit.exe create the .XML file and then transfers that back to TNI, or is 'raw data' sent back to my pc and then TNI creates the actual .XML file?

- Is the data (or .XML file) that gets sent back to my computer "compressed"? If so, about how large is it?

 

I'm asking these questions because we're trying to get a feel for 'how much' data is being transferred across the network. We have many remote networks all across our state and bandwidth is an extreme problem and concern for us. The .XML files are about 1.3MB in size. The tniaudit.exe file is 256KB in size. So using simple math, I'm wondering if the amount of data transferred is around 1.56MB? But if there are multiple communications between TNI and the remote computer during the scan, that probably adds at least some to that total to scan a single computer.

 

When my managers and network admins ask me how much data is being transferred to do a scan, I'm hoping to get a feel for what's going on so I can give them a fairly accurate answer, as we have thousands of computers on remote networks going across slower WAN connections and we don't want to interfere with daily operations and choke our WAN.

 

Sorry, one more question. When doing a "login script" scan, the tniaudit.exe file gets copied down to the local pc and runs and then it copies the resulting .XML file to the location specified. I assume since the remote tniaudit.exe is the process performing the copy of the .XML back to the audit folder, that there is no compression of the .XML file, and the total data transferred back & forth would be around that 1.56MB, which encompasses the tniaudit.exe being copied and the .XML file being copied to the audit folder. Is that about the amount of data transferred when doing a login script scan?

 

Thank you.

[Support]

There are two methods of connection TNI can use: agent (via SMB/NetBIOS protocols) and agent-free (via RPC/DCOM protocols). These methods are set up in "Options - Connection". You can choose one of them and check an option to use another if the first one fails. If the bandwidth and traffic is an issue, it's highly recommended that you choose agent (SMB) method and uncheck (disable) the option "Try another method", and also make sure that the checkbox "Compress data transferred over network" is also checked. If you are going to rescan computers from time to time, you can also enable the option "Keep deployed files for future use" (thus the executables will not be removed and will not be copied over again).

 

- What file gets copied to the remote pc? Is it tniaudit.exe?

tniaudit.exe and tniservice.exe

 

- During the scan when I'm sitting at my computer running the immediate online scan, TNI will provide updates such as "copying file", "scanning (software)", etc. How often is TNI contacting the remote computer to get these updates and is this an amout of data of any size?

With agent connection method, the program does not query remote agent for status change, however it checks for the service state each 5 seconds. Not sure, but I doubt it's anything bigger than 10-20 KB in total (for one PC of course).

 

- Once the remote scan finishes and sends back the data to my pc, how is this accomplished? Does the remote tniaudit.exe create the .XML file and then transfers that back to TNI, or is 'raw data' sent back to my pc and then TNI creates the actual .XML file?
- Is the data (or .XML file) that gets sent back to my computer "compressed"? If so, about how large is it?

In agent-free method the data is retrieved in raw format and thus the traffic is very high (from several MB up to hundred MB). But in the agent method the remote agent creates the file locally and compresses it (if specified by the setting mentioned above). Uncompressed files are 1-2 MB large and compressed ones are about 100-200 KB.

Here is an extract from our technical whitepaper:

Here are the example figures for scanning of average Windows XP computer. Upload means information uploaded to the scanned computer, and download – information downloaded from the scanned computer. Figures include network protocols overhead:

Agent with compression: upload 0.9 MB, download 0.21 MB.
Agent without compression: upload 0.9 MB, download 1.67 MB.
Comment: two executables under 0.5 MB in total are uploaded to the computer. It is possible optionally to leave them on computers and reuse during further scans, which will decrease upload traffic below 100 KB.

We have measured the figures with a traffic shaper which included all protocols overhead, and it happened that copying a file generated twice as much data as the file size, that's why the upload is 0.9 MB, not 0.45 MB (expected approx. size of tniaudit.exe + tniservice.exe)...
You can find the full version here.

 

Sorry, one more question. When doing a "login script" scan, the tniaudit.exe file gets copied down to the local pc and runs and then it copies the resulting .XML file to the location specified. I assume since the remote tniaudit.exe is the process performing the copy of the .XML back to the audit folder, that there is no compression of the .XML file, and the total data transferred back & forth would be around that 1.56MB, which encompasses the tniaudit.exe being copied and the .XML file being copied to the audit folder. Is that about the amount of data transferred when doing a login script scan?

It is about correct. By default the agent doesn't compress the files in login script mode (with "/scripted" command-line parameter). But if you set the parameter "compressscandata=1" in the "tniaudit.ini" configuration file (in the same folder with tniaudit.exe), files will be compressed (again, 100-200 KB) and you should go down to figures about 0.6-0.7 MB per PC. But in this case tniaudit.exe cannot be cached on that PC (though could be, something to implement in the future versions...), it will be downloaded from the server each time (basically, that is done by Windows to run a file from a network shared folder).

In the version 2.0 which is about to be released soon, we are going to decrease the figures even more. Data files will always be compressed and will occupy something about 30-50 KB, and there will be only one file tniaudit.exe (no separate service file).

[Hemo2]

Thank you for the detailed reply. This is very good information and exactly what I needed!