The runZero Explorer is a lightweight scan engine that enables network and asset discovery. You should have at least one Explorer deployed. After deployment, you can manage your Explorers from the Deploy page in your runZero web console.
Viewing all Explorers
For each Explorer, you can see:
- The Explorer status (whether it is communicating with runZero)
- The OS it is running on
- Its name
- Any site it is associated with
- Its IP addresses
- The software version it is running
- Whether the version of npcap installed is up-to-date, if the OS is Windows (see upgrading npcap below)
- The CPU architecture of the host machine
- Any tags associated with the Explorer
- The status of its last scan
- Its capabilities, like Chrome support
To capture screenshots, Chrome must be installed. You can check if an Explorer has screenshot capabilities by looking for the Chrome icon in the
Here’s what each icon means:
- Green icon - The Explorer has access to a Google Chrome binary and can take screenshots.
- Red icon - No suitable Chrome binary was found.
Searching for Explorers
You can use the search bar to find Explorers. The query syntax is similar to other search bars in runZero, with keywords to filter by specific fields:
Each Explorer has a set of action buttons that allow you to:
- Reinstall an Explorer - Performs a reinstall or upgrade of the Explorer. The current Explorer will download the latest Explorer code from runZero, and then run the install process.
- Configure an Explorer - You can associate the Explorer with a specific site, and add tags to it. You can also set the maximum number of concurrent scans allowed. A single Explorer can be configured to run multiple tasks at once.
- Reassign an Explorer - You can reassign an Explorer to a different organization within your account or even to a different runZero client account entirely.
- Remove an Explorer - If the Explorer is running, the Explorer will be asked to uninstall itself from the host machine. If the Explorer is not running, you can still tell runZero to forget about it. This is useful if you have decommissioned the machine the Explorer was running on or uninstalled the Explorer manually. If the Explorer runs again after runZero has been told to forget it, it will be readded to the registered Explorers list.
Bulk management operations
Bulk operations allow you to perform a set of actions to multiple Explorers at one time. Bulk actions are available from the
Manage all Explorers menu.
You can bulk:
- Update all online Explorers - Tells all Explorers–that are up and communicating with runZero–to upgrade their software.
- Forget all offline Explorers - Clears all Explorers currently offline, and makes runZero forget them. No data will be lost. If any of the Explorers are reactivated, they will be added back to the active list.
- Uninstall all online Explorers - Tells all online Explorers to uninstall themselves from their host systems.
- Automatically assign sites - Runs through all of the Explorers that are not currently assigned to a specific site. It checks their IP address against the CIDR IP ranges of the registered subnets of all sites in the current organization. If the Explorer’s IP address only matches a single site, the Explorer is assigned to that site.
Viewing Explorer details
Clicking on an Explorer’s name takes you to a page showing the diagnostic information for that Explorer, including its software version, available memory, and network interfaces.
At the bottom of the page is a diagnostics text area. Clicking the
Update Diagnostics button will fetch an updated list of all sub-processes active within the Explorer. This is useful to send to runZero support if you are having problems with a particular Explorer.
The Explorer details page is also where users can configure traffic sampling.
- From the Registered Explorers page, select the Explorer you wish to configure to perform traffic sampling.
- In the traffic sampling card, configure the following options:
- Site: Specify the site the assets discovered as a result of Traffic Sampling will be added to.
- Discovery scope: List the IP addresses or CIDR networks that traffic sampling will observe on this Explorer.
- Asset tags (optional): List the tags you want applied to assets discovered through traffic sampling.
- Excluded hosts (optional): List the IP addresses or CIDR networks that traffic sampling will exclude from the results.
- Interfaces: Toggle the switches for the interfaces you want this Explorer to listen on.
- Click Save to save your configuration and initiate the traffic sampling task.
Once configured, traffic sampling can be disabled by returning to this page and toggling off the selected interfaces. Upon saving, the traffic sampling tasks will automatically stop.
On Windows, runZero uses a licensed third-party library called npcap for access to raw network traffic. Other software installed on the Explorer’s host machine may also use npcap, and sometimes will have installed obsolete versions of the software. This can cause reliability problems.
runZero will alert you to obsolete versions of npcap by displaying a warning icon in the list of Explorers.
However, runZero cannot yet reliably upgrade npcap for you. runZero can’t automatically upgrade npcap/winpcap, as it tends to be shared between applications, and forcing an upgrade from the runZero side can break other services (EDRs, Wireshark, etc).
To upgrade npcap manually:
- Stop any running runZero services. This can be done using the Windows Services app. You’ll need to look for “runZero Network Discovery Explorer”.
- Stop any other running software which uses npcap.
- Uninstall Winpcap and any npcap installations via the Windows Control Panel.
- Reboot the computer.
runZero will restart automatically, and install the latest npcap.