This guide provides an overview of the Tanium Client and the procedures to deploy and manage it. As a best practice, use the Tanium™ Client Management service to deploy the client to enterprise endpoints, as described in the Tanium Client Management User Guide. This guide also describes how to deploy the Tanium Client using third-party software distribution tools such as Active Directory (AD) Group Policy Objects (GPO), System Center Configuration Manager (SCCM), Altiris, LANDESK, Puppet, and Casper.
The Tanium Client is a service installed on endpoint computers. In response to your questions, it discovers and reports within seconds both static and dynamic real-time data pertaining to the endpoint. This data includes the following:
- Hardware and software inventory
- Software configuration
- Local or domain user details
- Installed application or services, startup programs, and running processes
- Existence of registry keys and their values
- WMI data elements
- File system details, including identification of files by hash or contents
- Event log results
- Network configuration settings and state
With similar speed, you can use the Tanium Client to execute commands, actions, scripts, or other executable programs just as if an authorized administrator were taking actions from the command line on the target endpoint. For example, you can send the Tanium Client an instruction to take the following actions:
- Install or uninstall applications or services
- Update or patch installed applications, services, hardware drivers, or firmware
- Manage installed applications or services
- Add, remove, or modify the Windows Registry settings or other configuration stores
- Add, remove, or modify files or the contents of files
- Start or stop services
These powerful features enable large, geographically distributed organizations to identify and respond to a zero-day exploit, security breach, or application outage in a matter of seconds or minutes rather than days and weeks.
When the Tanium Client software is first deployed to an endpoint, it initiates a direct connection to the Tanium Server assigned to it in the initial configuration. During initial registration, the Tanium Client establishes a unique ID and receives from the Tanium Server the latest client settings, a list of nearby peers, and the latest sensor, question, and scheduled action definitions. By default, the initial registration status is configured to reset approximately every four hours, forcing the Tanium Client to re-initialize registration. This ensures the latest settings are applied and that optimal peers are selected.
The Tanium Client also re-registers with the Tanium Server via a normal registration that happens at a defined registration interval. The default registration interval is a randomized time between 30 and 90 seconds. During a normal registration, the Tanium Client informs the Tanium Server of its current state of questions, actions, and settings; and, in response, the Tanium Server sends new questions, actions, or settings to apply. In large environments, normal registrations are the primary way that Tanium Clients receive new questions, actions, and settings.
In an enterprise network, the Tanium Clients establish peer relationships. Peer connections are continual, long-lived connections used to exchange Tanium messages and files. The information is exchanged among peers in a linear chain. During registration, the Tanium Client receives a peer list of other Tanium Clients to which it can try to establish a peer connection. The Tanium Client uses the list to determine which neighbors are the most optimal network peers.
By design, each linear chain has one forward leader and one backward leader at the ends of the chain. Other than at registration, only leaders establish direct connections with the Tanium Server. The Tanium Server passes sensors, questions, and scheduled actions to the backward leader, which passes them to its forward peer, which in turn passes them to its forward peer, and so on, until they reach the forward leader. The forward leader returns the question answers and the scheduled actions status to the Tanium Server.
Tanium peer communication is designed to accommodate new clients that come online, to route around clients that are removed or stop communicating effectively, and to reflect around network-level blockages, such as firewall blocking. Forward reflection occurs if a Tanium Client cannot establish an outgoing connection to a forward peer in its peer list: the client establishes its forward connection to the Tanium Server instead and becomes a forward leader. Similarly, backward reflection occurs if a Tanium Client cannot establish an outgoing connection to a backward peer: the client establishes a backward connection to the Tanium Server and becomes a backward leader. Tanium Clients establish outgoing connections to backward peers for file distribution (see File distribution).
Client peering results in a profound reduction in connections and bandwidth over WAN links. The following figure illustrates the proportions of the savings in a large enterprise network that includes subnets in data center, headquarters, and branch offices, as well as VPN connections from remote workers. Other than during registration, only the remote VPN clients and leaders, depicted in bright red, connect to the Tanium Server over the WAN (the Internet, in this example). The remaining clients, depicted in faded red, share data over peer connections on the LAN for each subnet.
To customize client peering settings to suit your deployment, see Configuring Tanium Client peering.
The Tanium Server distributes files to managed endpoints when you deploy actions that use those files. For example, if you deploy an action to upgrade Windows, the Tanium Server distributes a package that includes the Windows patch file. Tanium Clients running on the endpoints participate in file distribution to optimize the process as follows:
- Tanium Client peering
Reduces the number of files that the Tanium Server distributes over WAN links. Instead of sending files to all managed endpoints, the Tanium Server sends files only to the few that are designated as the backward leader of a client linear chain. Each backward leader then relays the files over a high-speed LAN connection from one forward peer to another until they reach the forward leader.
- Tanium Client caching
Enables clients to redistribute files in small chunks known as shards. Each client maintains an intelligent local cache of the shard files that the Tanium Server previously distributed to the client linear chain. The result is that when the same files are requested later (for example, when an action runs again), clients can reassemble the files by collecting shards from their peers over the LAN, rather than requesting that the Tanium Server redistribute the files again. By default, each client maintains a shard cache of 100 MB. Each client keeps particular shards based on an algorithm to ensure an efficient distribution. These caches are also self-cleaning based on an algorithm that prioritizes recently used shards.
To distribute a file, the Tanium Server first downloads it and divides it into multiple shard files. Each shard is associated with a hash value. The Tanium Server then creates a manifest that maps all the component shards to the entire file. When you use the Tanium Server to distribute a package that includes a file, the package includes the manifest for that file.
The Tanium Server does not deliver shards through the registration process as it does for questions and actions. Instead, the Tanium Server delivers shards to each Tanium Client linear chain through the backward leader. When a Tanium Client receives the package and associated manifest file, it first checks its own cache to see if it already has any of the shards listed in the manifest. The Tanium Client then generates a new request message for all the shards that it could not find locally. This request message first flows forward along the linear chain to its end. As the request message traverses the chain, each peer checks its local cache for the listed shards. If the peer has one of the requested shards, it sends that shard to the requesting peer. To avoid duplication, it also removes that particular entry from the request message before propagating the message to the next peer in the chain. If Tanium Clients do not find all the shards after the forward flow along the chain, the clients send a request for shards that traverses the chain in the reverse direction. If shards are still missing after each peer has investigated its cache, the first Tanium Client requests the missing shards directly from the Tanium Server and distributes them appropriately.
Tanium Core Platform 7.2 or later supports TLS communication for connections from Tanium Client 7.2 or later to the Tanium Server or Tanium Zone Server. Tanium Client 7.4 or later uses TLS communication by default between client peers. For details, see the Tanium Core Platform Deployment Reference Guide: Setting up TLS communication. Tanium Client 6.0 does not support TLS and ignores TLS settings.
This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium.
Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights.
Last updated: 4/2/2020 7:16 PM | Feedback