Agent vs Agentless Security Scanning
TL;DR:
- Agent-based scanning relies on software that runs in real time on the actual machine it’s scanning
- Agentless scanning scans the disk snapshot.
Agent-based Scanning
The agent is software that you install on the system you want to assess. That agent executes on the target system:
- reading configuration files
- checking ports and protocols
- collecting live data for alerts and reports
Pros
- All information gathered is on the current state of your actual system.
- There’s no remote login required, which means no new end point, no remote connection management, and no lag or connectivity issues.
- The scanner can access all the necessary system elements with few security limitations.
- There are no snapshots required, which saves time and cost.
Cons
- Customers have to trust the agent and may have limited control on the agent.
- The agent taks up resources.
- The agent may introduce other issues, like a memory leak.
- The agent must be installed on each machine, which requires time installing, maintaining, and updating the agents.
- Customers may not be able to install agents on infrastructure assets. E.g. the infra may be managed by a third-party, which might not allow agents on their systems.
Agentless Scanning
A few options
- Remote access, either SSH or through a cloud shell. It executes outside the target system. It collects real–time information by connecting to the scan target.
- Disk snapshot scanning assesses a copy of the target system rather than the system itself. It never interacts with the scan target.
Disk scanning is the dominant approach.
- Low risk: scan a snapshot of the VM filesystem, not the live VM. Minimal chance to disrupt the running VM.
- Low impact: many customers routinely create daily VM snapshots for backup purposes, so little inconvenience to enable disk scanning.
- Disk scanners widely available
- Vulnerability databases widely available