Docs / CIS Auditor Guide

CIS Auditor Guide

Step-by-step instructions for installing, enrolling, and running compliance scans with the CIS Auditor agent on Windows.

v1.0.0 Windows 10 / 11 CIS L1 & L2

Prerequisites

Before installing the agent, make sure the target machine meets these requirements.

Requirement Details
Operating SystemWindows 10 (21H2 or later) or Windows 11 (any edition)
Architecturex86-64 (AMD64)
PrivilegesLocal Administrator (for installation only)
PowerShell5.1 or later (built-in on all supported OS versions)
NetworkHTTPS outbound to app.corvus-security.net (port 443)
Corvus AccountFree account at app.corvus-security.net

No inbound ports required. The agent uses outbound HTTPS polling only — it connects to the backend every 30 seconds to check for scan jobs. You do not need to open firewall rules or configure a reverse proxy.

Quick Install (Recommended)

The quickest way to get started is the one-line PowerShell installer. It downloads the agent binary, enrolls the endpoint, and sets up a background service — all in under a minute.

1

Generate an enrollment token

Log in to the Corvus Security dashboard. In the left sidebar, click Agents, then click the Generate Token button.

A modal will appear showing a one-time enrollment token. Copy the full token — it is valid for 24 hours and can only be used for one enrollment.

The dashboard also shows the complete coreagent enroll command with your token pre-filled. You can copy that command directly and skip to Step 3.

2

Run the installer (elevated PowerShell)

Open PowerShell as Administrator (right-click → "Run as Administrator"), paste the command below, and replace YOUR-TOKEN-HERE with the token from Step 1.

# Replace the token value with yours
$token = "YOUR-TOKEN-HERE"
& ([scriptblock]::Create((irm 'https://app.corvus-security.net/downloads/install.ps1'))) -Token $token

The script will:

  1. Download the latest coreagent.exe to C:\ProgramData\CIS-Auditor\
  2. Enroll the endpoint using your token
  3. Register a Windows Scheduled Task (runs as SYSTEM, starts at boot)
  4. Start the agent immediately

Execution policy: If your machine blocks remote scripts, run PowerShell with -ExecutionPolicy Bypass, or use the ZIP installer described in the Manual Install section.

Alternative: Download and run locally

# Download installer script
Invoke-WebRequest -Uri 'https://app.corvus-security.net/downloads/install.ps1' -OutFile install.ps1

# Run it (still requires elevation)
powershell -ExecutionPolicy Bypass -File .\install.ps1 -Token "YOUR-TOKEN-HERE"
3

Verify the agent is online

Return to the Agents page in the dashboard. Within 30–60 seconds your new endpoint should appear with status Online.

You can also check the status locally in PowerShell:

# Check scheduled task state (should say "Running")
(Get-ScheduledTask -TaskName CISAuditorAgent).State

# View recent agent log lines
Get-Content "C:\ProgramData\CIS-Auditor\agent.log" -Tail 20

Manual / Offline Install

Use the manual method when you need to deploy via MDM (Intune, SCCM, Ansible), when machines have no direct internet access during install, or when you prefer full control over file placement.

Step 1 – Download the installer package

Download coreagent-installer.zip from the dashboard Agents page or the Releases page. Extract it — you will find:

  • coreagent.exe — the agent binary
  • install.ps1 — interactive PowerShell installer
  • install.bat — wrapper that calls install.ps1 with elevation
  • uninstall.ps1 — clean uninstaller

Step 2 – Place the binary

Copy coreagent.exe to your chosen install directory. The default path expected by the installer is:

C:\ProgramData\CIS-Auditor\coreagent.exe

Step 3 – Enroll the endpoint

Run the enroll command from an elevated command prompt or PowerShell. Replace the placeholders with your actual values.

REM Command Prompt (elevated)
C:\ProgramData\CIS-Auditor\coreagent.exe enroll ^
  --url https://app.corvus-security.net ^
  --token YOUR-ENROLLMENT-TOKEN

On success the agent prints [OK] enrolled and writes two files:

  • C:\ProgramData\CIS-Auditor\agent.json — agent ID and backend URL
  • C:\ProgramData\CIS-Auditor\credentials.enc — DPAPI-encrypted agent secret

Step 4 – Register the background service

Register the agent as a Windows Scheduled Task so it starts automatically and restarts on failure:

# PowerShell (elevated)
$exe      = "C:\ProgramData\CIS-Auditor\coreagent.exe"
$action   = New-ScheduledTaskAction -Execute $exe -Argument 'run'
$trigger  = New-ScheduledTaskTrigger -AtStartup
$settings = New-ScheduledTaskSettingsSet `
    -ExecutionTimeLimit ([TimeSpan]::Zero) `
    -RestartCount 5 -RestartInterval (New-TimeSpan -Minutes 1) `
    -MultipleInstances IgnoreNew -StartWhenAvailable
$principal = New-ScheduledTaskPrincipal -UserId SYSTEM -LogonType ServiceAccount -RunLevel Highest

Register-ScheduledTask -TaskName CISAuditorAgent `
    -Action $action -Trigger $trigger `
    -Settings $settings -Principal $principal -Force

Start-ScheduledTask -TaskName CISAuditorAgent

Unattended / MDM Deployment

For Intune, SCCM, or Ansible deployments, use the install.ps1 script with inline parameters — no interactive prompts:

powershell -ExecutionPolicy Bypass -NoProfile -File .\install.ps1 `
  -Token "YOUR-ENROLLMENT-TOKEN" `
  -Url   "https://app.corvus-security.net"

The script exits with code 0 on success and 1 on failure, so it integrates cleanly with deployment tool error handling.

Running a Scan

Once the agent is enrolled and online, you can trigger a compliance scan from the dashboard or via the API.

From the Dashboard

  1. 1 Open Scans in the sidebar.
  2. 2 Click New Scan. Select the target agent, rule pack (e.g. Windows 11 CIS L1), and CIS level.
  3. 3 Click Run Scan. The job enters the queue and the agent picks it up within 30 seconds.
  4. 4 The scan page refreshes automatically. Click any result row to see the finding details.

From the Command Line (on the endpoint)

You can also trigger a scan locally for quick testing without the dashboard:

REM Scan with auto-detected OS pack, print results to stdout
coreagent.exe scan

REM Scan a specific pack and CIS level
coreagent.exe scan --pack windows11-cis-l1 --level 1

REM Save results as JSON
coreagent.exe scan --pack windows11-cis-l1 --out results.json

Available rule packs: windows10-cis-l1, windows11-cis-l1. Run coreagent.exe scan --help to see all options.

Understanding Results

Each finding has one of four statuses:

PassThe control is correctly configured. No action needed.
FailThe current value does not meet the CIS requirement. Click the row to see the observed vs. expected values and remediation steps.
ErrorThe agent could not collect the required data. Usually means the agent needs elevated privileges for that specific check (e.g. audit policy).
N/AThe control does not apply to this configuration (e.g. a domain-specific check on a workgroup machine).

The compliance score at the top of each scan is calculated as: passed checks ÷ (total − N/A), expressed as a percentage. Error findings count as failed.

Dashboard Tour

Dashboard

The main dashboard shows your fleet at a glance: total agents, online/offline count, recent scan scores, and open support tickets. The Download section at the bottom lets you grab the agent installer directly.

Agents

Lists all enrolled endpoints with their current status, last heartbeat time, and latest scan score. Click an agent row to open its detail page — you can see per-agent scan history and trigger a new scan directly from there.

The Generate Token button creates a new enrollment token for onboarding another endpoint. Tokens expire after 24 hours.

Scans

Shows all scan jobs across all agents. Click any row to open the scan detail page, which includes:

  • Overall compliance score with a visual ring gauge
  • Pass / Fail / Error / N/A summary cards
  • Findings grouped by CIS category (e.g. Account Policies, Windows Firewall)
  • Per-finding observed vs. expected value comparison
  • Remediation guidance for each failed control
  • Export to JSON, CSV, or printable HTML report

Policies

Policies define what gets scanned, when, and at which CIS level. Create a policy to schedule recurring compliance checks without manual intervention.

  • Select a rule pack and CIS level (L1 = basic hardening, L2 = strict hardening)
  • Optionally restrict to specific CIS categories
  • Set a cron schedule (e.g. daily at 02:00, every Monday morning)

Settings

Manage your account, users, and API tokens. Under the Security tab you can:

  • Change your password
  • Enable two-factor authentication (TOTP)
  • Create API tokens (csk_…) for programmatic access

Scan Policies

Policies let you automate scans on a schedule so compliance is continuously monitored rather than spot-checked. A policy is assigned per-tenant (applies to all agents in your account).

Creating a policy

  1. Go to PoliciesNew Policy
  2. Give it a name (e.g. "Windows 11 Weekly L1")
  3. Select the rule pack and CIS level
  4. Optionally filter by CIS categories (leave blank to scan everything)
  5. Set the schedule: choose a preset (daily, weekly, monthly) or enter a custom cron expression
  6. Click Save

CIS Level 1 covers basic hygiene — settings that are universally applicable with minimal impact on usability. CIS Level 2 adds stricter controls suited for high-security environments; some L2 settings may affect usability.

Remediation

The scan detail page includes two action icons on every failing finding:

Rescan (refresh icon)

Re-runs the compliance check for this single rule immediately. Use this to confirm a manual fix took effect without running a full scan.

Auto-fix (wrench icon) — registry rules only

Sends a remediation job to the agent. The agent applies the registry fix and immediately rescans the rule. The finding updates inline once the job completes — the badge shows "Fixed — now passing" if it succeeded or "Still failing" if additional action is needed.

Auto-fix scope: Only registry-based CIS controls can be auto-remediated from the dashboard. Controls that require Group Policy, audit policy (auditpol.exe), or service configuration must be fixed manually using the "How to fix" guidance shown in each finding's detail panel.

Configuration

The agent stores its configuration in C:\ProgramData\CIS-Auditor\.

File Contents
agent.jsonAgent ID, backend URL, and enrollment status.
credentials.encDPAPI-encrypted agent secret. Tied to the SYSTEM account on this machine.
agent.logRolling log file for heartbeats, scan activity, and errors.

CLI commands

coreagent.exe <command>

  enroll        Enroll this endpoint with the backend
  run           Start the background polling daemon
  scan          Run a compliance scan (prints results)
  heartbeat     Send a single heartbeat to the backend
  update        Check for and apply agent updates
  diagnostics   Self-test: config, credentials, connectivity, packs
  version       Print agent version

Running diagnostics

The built-in diagnostics command checks everything in one go:

coreagent.exe diagnostics

It verifies: config file, DPAPI credentials, OS detection, available rule packs, backend connectivity, and a live heartbeat. Look for any lines beginning with FAIL.

Uninstalling

To remove the agent from an endpoint, run the uninstaller from an elevated PowerShell:

# From the installer directory
powershell -ExecutionPolicy Bypass -File .\uninstall.ps1

# Remove config files too (clears credentials.enc and agent.json)
powershell -ExecutionPolicy Bypass -File .\uninstall.ps1 -RemoveConfig

If you no longer have the installer, remove the scheduled task manually:

# Stop and remove scheduled task
Stop-ScheduledTask   -TaskName CISAuditorAgent
Unregister-ScheduledTask -TaskName CISAuditorAgent -Confirm:$false

# Remove install directory (optional)
Remove-Item -Recurse -Force "C:\ProgramData\CIS-Auditor"

After uninstalling, the agent will stop sending heartbeats and the endpoint will appear as Offline in the dashboard. You can delete it from the Agents page using the delete action.

Troubleshooting

Agent stays Offline after installation

1. Check the scheduled task is running: (Get-ScheduledTask -TaskName CISAuditorAgent).State should show Running.

2. Read the log: Get-Content "C:\ProgramData\CIS-Auditor\agent.log" -Tail 30

3. Run diagnostics: coreagent.exe diagnostics — look for connectivity failures.

4. Verify outbound HTTPS to app.corvus-security.net:443 is not blocked by your firewall or proxy.

Enrollment fails with "invalid token"

Enrollment tokens expire after 24 hours and can only be used once. Generate a fresh token in the dashboard (Agents → Generate Token) and retry.

Many findings show "Error" status

Most errors are caused by checks that require elevated privileges (e.g. reading audit policy via auditpol.exe or reading specific security policy keys).

The agent runs as SYSTEM via the Scheduled Task, which has the required permissions. If you are running coreagent.exe scan manually from a user session, some collectors will fail — this is expected.

For automated scans from the dashboard, SYSTEM-level access is used automatically and Error counts should be minimal.

Scan completes but findings don't appear

Wait 60 seconds then refresh the page — the agent uploads results after completing the scan and the dashboard refreshes on load.

Check the agent log for upload errors: Get-Content "C:\ProgramData\CIS-Auditor\agent.log" -Tail 30

PowerShell script is blocked by execution policy

Run PowerShell with the -ExecutionPolicy Bypass flag, or download the installer ZIP from the dashboard and double-click install.bat — it handles the policy bypass internally.

powershell -ExecutionPolicy Bypass -File .\install.ps1 -Token "YOUR-TOKEN"
Agent was already installed — how to re-enroll

Re-running the installer automatically stops any existing instance and replaces the binary. It then re-enrolls with the new token. No manual cleanup needed.

To re-enroll an existing installation manually: stop the task, delete credentials.enc and agent.json, then run coreagent.exe enroll --url … --token … again.

← Documentation Overview Developer API →