uberAgent: Enhancing the Efficiency of Enterprise Systems

Helge Klein, Managing Director
As businesses find themselves leaning towards a hybrid-work model today, we bear witness to a significant uptick in the adoption of Citrix Systems— known for their prowess in providing remote workers with secure access to organizational systems and networks. While these solutions are powerful and purpose-built at the front-end, they’re often hindered by a multitude of backend issues, putting Citrix admins in a tough spot. To tackle such critical issues head-on, professionals have to manage a wide array of systems—servers, storage, and networking— while following the same trajectory on the end-user application side. Yet unfortunately, Citrix admins’ operational efficiency is often compromised owing to organizations’ reliance on traditional solutions that can only collect data different touchpoints. This leads to several process inefficiencies. A recent Citrix Performance Management Report stated that 53 percent of respondents often run into user experience issues.

This is precisely where uberAgent makes a world of difference. Born at the innovation labs of vast limits GmbH, uberAgent is a robust user experience monitoring and security analytics product that helps enhance the efficiency of enterprise systems. Whether it be physical systems, virtual desktops, Apple macOS, Citrix, or VMware, the solution covers them all without affecting the systems’ user density.

“What spurred the inception of uberAgent is our passion to help Citrix admins streamline their operations, combined with our indepth expertise and extensive experience in handling enterprise IT operations,” says Helge Klein, the Managing Director of vast limits.

Designed to augment user experience, security, performance, and provide insights into application usage of clients’ systems, uberAgent encompasses two major products—uberAgent UXM and uberAgent ESA—all integrated into a single agent that can easily be installed on endpoints. What gives uberAgent a competitive edge is its ability to provide high-quality information that enables IT professionals to have “true visibility” into their daily business operations. This way, uberAgent serves as a go-to solution for Citrix admins that addresses all aspects of their business operations—from providing insights on machine-level functions, resource utilization per user session, performance and footprint of each application, and security.

While uberAgent UXM specializes in offering rich context and metadata on all aspects of user experience and application performance, uberAgent ESA adds deep security visibility. “Our uberAgent UXM collects detailed inventory information, shows which applications are used when and how often, determines application reliability KPIs, and finds issues with network connectivity,” adds Klein.

uberAgent UXM collects detailed performance information, shows which applications are used when and how often, determines application reliability KPIs, and finds issues with network connectivity

For instance, the solution provides IT professionals with the right information on the increased usage of RAM upfront when they are planning to switch to a new version of Microsoft Office. Furthermore, uberAgent UXM can go the extra mile to deliver realtime insights on individual processes within the applications. On the other hand, uberAgent ESA is a powerful analytics product that collects relevant security information without flooding organizations’ SIEMs with data. Built with a powerful activity monitoring engine, the solution helps identify risky behavior, unusual communications, suspicious executables, and common vulnerabilities.

Another aspect that makes uberAgent unique is its architecture. The solution consists of two main components—the agent that runs the endpoints to send collected data to the configured back-end and a set of Splunk apps, providing dashboards, visualizations, searches, and reports. The endpoint agent is highly configurable, optimized for minimal footprint, and can be seamlessly scaled to use in 100,000s of endpoints, inducing clients’ entire fleet of desktops, laptops, and VMs without affecting user density. By using Splunk at the backend, uberAgent offers unlimited scalability and the flexibility to easily create custom dashboards and visualizations.

With such capabilities, uberAgent caters to a broad range of customers that encompasses several prominent enterprises, including Assicurazioni Generali, USC, Die Mobiliar, and Martini Ziekenhuis, to name a few. “Our success is the result of our forward-looking and innovation-first approach. We always strive to listen to our clients, understand their needs, and come up with innovative features that add value to their business operations,” mentions Klein. Moving ahead, the innovation labs at vast limits are working on enhancing uberAgent’s value proposition, intending to make a world of difference in the way IT professionals operate.

uberAgent News

uberAgent 6.2: Persistent Output Queue, Process Tampering Detection

We are happy to announce the newest version of our user experience monitoring & endpoint security analytics product. uberAgent 6.2 introduces the persistent output queue, which guarantees that no events are lost in transit, and comes with a ton of improvements for UXM and ESA.

Persistent Output Queue (Disk Buffering)

uberAgent’s persistent output queue (POQ) buffers the generated events on the endpoint’s disk before the agent attempts to send them to the backend. Only when an event has been delivered successfully is it removed from the POQ’s buffer.

The persistent output queue ensures that no data is lost even in situations where the backend is unavailable for prolonged periods of time. The most important use case for the POQ is with laptops.

On mobile devices, uberAgent was traditionally coupled with Splunk’s Universal Forwarder due to UF’s persistent queue functionality. With uberAgent’s new built-in persistent output queue, it’s not necessary anymore to deploy Universal Forwarder just for its disk buffering feature.

Citrix Cloud Monitoring

Introduced with uberAgent 6.1, Citrix Cloud monitoring is uberAgent’s capability to monitor the Citrix Virtual Apps and Desktops (CVAD) control plane in Citrix Cloud (announcement). Since the original release, we’ve been hard at work improving the speed and reliability of the queries to Citrix Cloud. The result is a fast and resilient Citrix Cloud connection that supports the latest API changes introduced by Citrix (e.g., pagination).

uberAgent ESA

Detection of Process Tampering & Remote Thread Creation

uberAgent ESA now detects remote thread creation (a form of code injection) and multiple process tampering techniques (process hollowing, herpaderping, doppelganging). All the relevant event properties are available via the Activity Monitoring Engine. See this blog post for details.

Splunk Enterprise Security

While uberAgent had CIM support for a long time, we have extended the integration greatly with uberAgent 6.2. If you are used to working with Sysmon data in ES, you will notice no difference when switching to uberAgent. uberAgent supports all CIM fields populated by popular Sysmon add-ons found in Splunkbase, and more!


uberAgent’s macOS agent has learned many new tricks, including:

• Application crash reporting.

• Network monitoring now includes the remote (target) name in addition to the IP address.

• DNS query monitoring.

• Improved detection of SSH sessions.


uberAgent 6.2 comes with dozens of additional improvements and fixes, e.g.:

• The converted Sigma ruleset has been updated and now supports more categories.

• Authenticode signature verification improvements.

• Further optimized the network monitoring driver for even higher throughput.


Monheim, North Rhine-Westphalia

Helge Klein, Managing Director

A leading user experience monitoring and security analytics product that provides Citrix admins with true visibility on all aspects of their business operations