Message Image

Skip main navigation (Press Enter).

Endpoint Protection

View Only

Back to discussions

Expand all | Collapse all

EDR became blind?

Aulia AuliaOct 11, 2021 10:59 PM

Hi all, Can someone explain about this link? https://twitter.com/Seven_Stones/status/1444770356489822212?s=20 ...

atb86Oct 12, 2021 02:35 AM

Hi, First thing first. The author mixes up EPP (Endpoint Protection) and EDR (Endpoint Detection and ...

Adam LicataOct 13, 2021 10:50 PM

Here's the thread for others who want to follow along: https://twitter.com/adamli9/status/1445840206649704455?s=20 ...

1. EDR became blind?

0 Recommend
Aulia Aulia
Posted Oct 11, 2021 10:59 PM

Reply Reply Privately
Hi all,
Can someone explain about this link?

https://twitter.com/Seven_Stones/status/1444770356489822212?s=20

and the relation in Symantec Endpoint Protection.

Thank
2. RE: EDR became blind?

0 Recommend
atb86
Posted Oct 12, 2021 02:35 AM

Reply Reply Privately
Hi,

First thing first. The author mixes up EPP (Endpoint Protection) and EDR (Endpoint Detection and Response). DLL unhooking in user mode is possible and that's true for pretty much every vendor. Most hooks for EDR is done in kernel mode though. And if you read the original tweet you can see that Adam Licata (Product Manager for Endpoint Security) discusses this with the author and backtested it. If you run SESC or SEP with EDR you would have the visibility for the unhooks made in user mode.

Original Message
3. RE: EDR became blind?

0 Recommend
Broadcom Employee

Adam Licata
Posted Oct 13, 2021 10:50 PM

Reply Reply Privately
Here's the thread for others who want to follow along: https://twitter.com/adamli9/status/1445840206649704455?s=20

You'll see the screenshots from where we tested the unhooking technique and it didn't affect EDR. The author later says their post wasn't targeting Symantec.

Original Message

Copyright 2019. All rights reserved.

Powered by Higher Logic