The Movere ARC only runs as an installed service. When starting an ARC scan the user specifies the ARC interval (every 5, 10 15 minutes etc.) and the duration (1, 3, 7 days etc.). These values are then added to the Movere ARC config file which is sent to each targeted endpoint along with a copy of the ARC binary which collects, encrypts and transmits the required outputs. When the ARC bot arrives on the targeted endpoint, it installs as a service to both trigger the ARC every x minutes and to survive a reboot. Even if the machine is powered off for several hours, when it reboots, the ARC service will automatically restart. It will then read the config file, and if the expiration date has not yet been reached then it will re-start the collection process. If the need arises to terminate the ARC service then simply rebooting the device won’t work.
If we want to remove the ARC bot from all devices then we need to use this approach:
Step 1: We need to alter the Movere upload token.txt file. This can be down by opening the token.txt file in Notepad then inserting a single character (any character will do). Now save the file.
Step 2: We need to push the altered token.txt file to each device the ARC is running on (Windows only). To do this we start a new Inventory scan WITHOUT the ARC flag.
Step 3: Now this is where timing comes into play. We need to make sure that the altered token.txt file gets delivered to every targeted endpoint to force the ARC removal, but the Movere Console will not release the altered token.txt file to every targeted endpoint at the same time. Movere is configured to target 50 devices simultaneously, so if we are seeking to terminate the ARC bot on several hundred servers we need to leave the Movere service running for up to an hour to complete the altered token distribution. We can monitor this from the Movere Console because the inventory payloads will ONLY be returned to the Movere Console and nothing will be uploaded because the upload token.txt file has been altered. After all of the inventory files have been returned to the device the Movere Console is being run from, simply close the Movere Console.
What will happen now is that each targeted endpoint will attempt to upload its next ARC payload to the cloud, but this will fail because the upload token has been altered. Each ARC bot will then attempt to send its ARC payload back to the device the Movere Console was run from, but this will fail because the Movere Console has now been closed, which shuts down the Movere listener. The ARC bot having failed to upload its payload will now wait for the next ARC beat to occur based upon the interval selected i.e. 5, 10, 15 mins etc. If a 5 minute interval is used, then after 5 minutes the ARC service will start the next collection cycle and again attempt to upload to both the cloud and to the device the Movere Console was run from, and again both will fail. Movere will then start the next ARC capture and again attempt to upload to both the cloud and Movere Console. Once the third failure occurs, the ARC bot will make no further attempts to upload and will automatically dissolve both itself and any payloads it had collected but not uploaded.