Docs
Enterprise
Reference
Agent

Agent

Learn what the agent does on your endpoints.

Installation

The installation script (install.ps1) performs the following steps:

  1. Creates application folders under C:\Program Files\Irbis\Zen Enterprise Agent and C:\ProgramData\Irbis\Zen Enterprise Agent.
  2. Assigns the appropriate ACLs to the ProgramData folder.
  3. Downloads the ZenEnterpriseAgent.exe binary into C:\Program Files\Irbis\Zen Enterprise Agent.
  4. Registers the endpoint using the specified deployment token and stores the configuration in ProgramData.
  5. Creates and starts a Windows service named ZenEnterpriseAgent.
The macOS agent is a work in progress.
The Linux agent is a work in progress.

Request proxying

Note

All HTTP/HTTPS traffic inspection and modification happens locally within the agent, in real time. No data is routed or sent to a remote server for processing.

PAC (Proxy auto-config)

For HTTP/HTTPS request proxying, the agent hosts a PAC file on an available local port.

Some hostnames are automatically excluded from proxying due to security or compatibility reasons. For more details, see ZenPrivacy/zen-https-exclusions on GitHub.

System configuration

To instruct applications to use the proxy, the agent modifies the following Registry values:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings:

  • ProxySettingsPerUser set to 0.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings:

  • ProxyEnable set to 0.
  • ProxyOverride deleted.
  • ProxyServer deleted.
  • AutoConfigURL set to the local PAC URL.

When the service shuts down or is uninstalled, all of these values are deleted.

The macOS agent is a work in progress.
The Linux agent is a work in progress.

CA (Certificate Authority)

Zen’s content blocking and filtering features require HTTPS inspection, so the agent generates and installs a local CA (Certificate Authority) certificate that the operating system and browsers trust. The following measures protect the certificate from misuse:

  • The certificate key pair is generated entirely on the endpoint.
  • The private key is never sent to any remote server.
  • The private key is stored with restrictive permissions (0600) to reduce the risk of compromise by malicious processes on the same machine.
GlossaryRecommended filter lists