Endpoint Protection

Expand all | Collapse all

EDR became blind?

  • 1.  EDR became blind?

    Posted 8 days ago

    Hi all,
    Can someone explain about this link?

    https://twitter.com/Seven_Stones/status/1444770356489822212?s=20

    and the relation in Symantec Endpoint Protection.


    Thank



  • 2.  RE: EDR became blind?

    Posted 8 days ago
    Hi,

    First thing first. The author mixes up EPP (Endpoint Protection) and EDR (Endpoint Detection and Response). DLL unhooking in user mode is possible and that's true for pretty much every vendor. Most hooks for EDR is done in kernel mode though. And if you read the original tweet you can see that Adam Licata (Product Manager for Endpoint Security) discusses this with the author and backtested it. If you run SESC or SEP with EDR you would have the visibility for the unhooks made in user mode.


  • 3.  RE: EDR became blind?

    Broadcom Employee
    Posted 6 days ago
    Here's the thread for others who want to follow along: https://twitter.com/adamli9/status/1445840206649704455?s=20

    You'll see the screenshots from where we tested the unhooking technique and it didn't affect EDR. The author later says their post wasn't targeting Symantec.