Problem
The executors documentation states that implants "will be deleted on assets' restart" for all third-party executors (Tanium, CrowdStrike, SentinelOne, Palo Alto Cortex). A client reported that runtimes/ and payloads/ directories persist indefinitely after inject execution, even after restarting the machine — contradicting this claim.
Affected page: https://docs.openaev.io/latest/deployment/ecosystem/executors/
Proposed changes
1. docs/deployment/ecosystem/executors.md
In all four third-party executor sections (Tanium, CrowdStrike, SentinelOne, Palo Alto Cortex), replace:
where XXXXX will be a completely random UUID, generated for each inject that will be executed.
This ensures that the implants are unique and will be deleted on assets' restart.
With:
where XXXXX will be a completely random UUID, generated for each inject that will be executed. This ensures that each implant is unique. Old implants are periodically cleaned up by the OpenAEV platform based on the clean-implant-interval configuration parameter (default: 8 hours). This cleanup is performed server-side — implant directories are not automatically deleted on endpoint restart.
2. docs/usage/openaev-agent.md
In the Features section, expand the "Execution cleanup and directory pruning" bullet to document when and how the native OpenAEV Agent prunes the runtimes/ subdirectories. Engineering input is needed to document the exact mechanism.
Context
- The
clean-implant-interval parameter exists in the configuration tables for all four third-party executors but is not referenced in the prose describing implant lifecycle.
- The OpenAEV Agent page lists "Execution cleanup and directory pruning" as a feature but provides no detail on when or how this occurs.
- The
payloads/ directory cleanup is not documented at all.
Triggered by a client question relayed by Sairam Jetty in the internal Teams channel.
Problem
The executors documentation states that implants "will be deleted on assets' restart" for all third-party executors (Tanium, CrowdStrike, SentinelOne, Palo Alto Cortex). A client reported that
runtimes/andpayloads/directories persist indefinitely after inject execution, even after restarting the machine — contradicting this claim.Affected page: https://docs.openaev.io/latest/deployment/ecosystem/executors/
Proposed changes
1.
docs/deployment/ecosystem/executors.mdIn all four third-party executor sections (Tanium, CrowdStrike, SentinelOne, Palo Alto Cortex), replace:
With:
2.
docs/usage/openaev-agent.mdIn the Features section, expand the "Execution cleanup and directory pruning" bullet to document when and how the native OpenAEV Agent prunes the
runtimes/subdirectories. Engineering input is needed to document the exact mechanism.Context
clean-implant-intervalparameter exists in the configuration tables for all four third-party executors but is not referenced in the prose describing implant lifecycle.payloads/directory cleanup is not documented at all.Triggered by a client question relayed by Sairam Jetty in the internal Teams channel.