When an agent enrolls to the Ava Reveal platform using an enrollment bundle, it is given a unique ID (agent UUID) and corresponding certificates to securely authenticate communication between the agent and the infrastructure. These credentials are stored on the machine hard disk and thus will necessarily be duplicated entirely by a clone of the virtual machine.

If you clone a virtual machine whilst it is enrolled, when it boots up, the agent will connect to the infrastructure, and because it has valid certificates will be able to immediately start committing events to the activity feed for the existing agent.

If you do not change the hostname of the cloned machine, it can be very difficult to tell that there are two machines reporting events into the Ava infrastructure at the same time. The only evidence will be the node IP address changing periodically. The hostname and IP address are reported every 15 minutes as part of a heartbeat message that is independent from the other activity feed events. As such, if the hostname is modified on one of the machines then within every 15 minute period, the hostname shown for the node will change on the map view.

In order to ensure that individual activity feeds are kept clean and separate from each other, Ava recommends that virtual machines are only cloned with the agent not installed, or otherwise not currently enrolled.

If an enrolled machine is cloned, we recommend immediately changing the hostname of the cloned machine and re-enrolling the agent. This can be achieved in a single command using the force re-enroll command.

agent[.exe] enroll -f <bundle_filepath/enroll_code>