Skip to main content

OneView architecture

Updated: 

The OneView architecture consists of a few components working together to protect your endpoints. This article explains each piece of the architecture.

  • OneView Console: Provides centralized management of devices through a web-based user interface. Use the console to configure policy settings, view quarantined items, and monitor endpoint activity. 
  • Nebula site: OneView is a multi-tenant console that allows admins to manage multiple sites. Each site is a Nebula site, containing distinct entities such as endpoints, schedules, and groups. 
  • Cloud Servers: Store and relay endpoint information between OneView and your devices. 
  • Endpoint Agent: The software installed on a device that communicates with the cloud servers. Devices with the software installed are referred to as endpoints.
  • Plugins: Software components installed on endpoints that perform tasks, run scans, and protect the device. These are automatically installed based on the policy settings applied to the endpoint. The installed plugins can be viewed from the Manage > Endpoints page. Click on an endpoint and look under the Agents and plugins section.
    • Agent Service: A core background agent service that facilitates communication between the endpoint and OneView, enabling policy enforcement, updates, event reporting, and coordination with other security modules.
    • User Agent: A user-facing component responsible for alerts, notifications, or security prompts, providing visibility into the agent's status, user-initiated scans and actions.
    • Endpoint Detection and Response: The plugin responsible for collecting data to identify Suspicious Activity, perform Ransomware Rollback backups, and Endpoint Isolation.
    • Endpoint Protection: The plugin that controls and manages the protection layers.
    • Endpoint Protection protection update: Rules and heuristics to identify malware.
    • Protection service version: The primary service that provides real-time protection and Device Control.
    • Component package version: The package that contains the controllers and components that power the protection layers.
    • Asset Manager: The plugin that collects information about the endpoint including installed, startup, and other software.
    • Software management SDK: A toolkit allowing integration with third-party applications to update on endpoints. It provides programmatic access to software inventory and management functions.
    • Windows Remote Intrusion Detection and Prevention: The plugin that monitors failed Windows™ protocol login attempts and creates a Windows Firewall rule to temporarily block the incoming IP address.
    • Active Response Shell: The plugin that allows you to run Active Response Shell on an endpoint.
    • SIEM: The plugin used to communicate and report detection events with a preconfigured Syslog server.
    • DNS Content Filtering: A plugin that monitors and restricts access to specific domains based on predefined policies. It blocks access to harmful, inappropriate, or non-compliant websites by filtering DNS queries before they are resolved.
    • DNS Crypt Proxy: A security feature that encrypts DNS traffic between the endpoint and Cloudflare using the DNSCrypt protocol. It prevents DNS spoofing, tampering, and surveillance by ensuring DNS requests are secure and private.
    • Firewall Management: Provides centralized control and enforcement of network traffic rules on endpoints. It manages system-level firewalls to allow or block traffic based on security policies, reducing exposure to network-based threats.
    • Browser Phishing Protection: A browser module with an extension that detects and blocks phishing websites in real time. It scans URLs and webpage content to safeguard customers from web-based threats, ensuring secure and seamless browsing experiences

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more