top of page
Writer's pictureCynor Sense

EDR : Architecture & Solutions (Part1)

Updated: Mar 1

We don't want to bore you with importance of EDR and what it is as we presume you have gone through number of articles about EDR. Here's a high-level overview of the architecture for Endpoint Detection and Response (EDR) on Windows, Linux, and Mac operating systems.

EDR onboarding

How EDR works?


Windows EDR Architecture:

  1. Endpoint Agents: EDR agents are installed on endpoint systems to collect system and user activity data.

  2. Data Processing: The data collected by EDR agents is sent to a central data processing server for analysis and storage. The server can be deployed on-premise or in the cloud.

  3. Threat Detection: The processed data is analysed using machine learning and other detection techniques to identify potential threats and suspicious activity.

  4. Response and Remediation: Once a threat is detected, EDR systems can take action to contain the threat and remediate the affected systems. Actions can include isolating the endpoint, killing malicious processes, or rolling back system changes.

Windows Defender EDR AV

  1. EDR components:

EDR MDR XDR Antivirus
  1. Endpoint Agents: EDR agents are installed on endpoint systems to collect system and user activity data.

  2. Minifilter Driver and Network Drivers: Minifilter drivers are installed on the endpoint system to intercept and monitor file activity, while network drivers, such as NDIS, monitor network activity.

  3. File System and Registry: The file system and registry manage file and system activity on the endpoint, and communicate with the minifilter driver to intercept I/O operations.

  4. Network Stack: The network stack manages network activity on the endpoint, and communicates with network drivers to intercept network operations.

  5. Data Processing: The data collected by the EDR agent, minifilter driver, and network drivers is sent to a central data processing server for analysis and storage.

  6. Threat Detection: The processed data is analysed using machine learning and other detection techniques to identify potential threats and suspicious activity.

  7. Response and Remediation: Once a threat is detected, EDR systems can take action to contain the threat and remediate the affected systems. Actions can include isolating the endpoint, killing malicious processes, or rolling back system changes.

  8. Data Center Infrastructure: The data centre infrastructure supports the processing and analysis of endpoint data, including the use of network sensors to monitor network traffic.

Windows EDR Architecture


Windows Minifilter Drivers operate on given Microsoft Altitude range or numbers.



Windows EDR process flow


  • This diagram includes the Altitude numbers for the Microsoft drivers. The UMDF (Low), KMDF (Low), and WDDM (Low) drivers are shown in the AppContainer (Low) range, along with the Storage (Low) and Class (Low) drivers. The WDF filter is shown in the Lowest Altitude range. The EDR minifilter driver is still shown in the System (High) range with the Windows Defender components.

  • Microsoft Altitude ranges in addition to the user space, kernel space, and EDR minifilter driver components. The AppContainer (Low) range represents user applications that run in a low-privileged environment with restricted access to system resources, while the System (High) range represents the kernel mode code and Windows services that have access to all system resources. The EDR minifilter driver is shown in the System (High) range, with access to the file system, registry, and network monitoring. The Windows Defender components are also included, with the antivirus engine, GUI, and Security Center shown in the System (High) range, and the EDR management tool shown in the AppContainer (Low) range.

  • Class Drivers: These are drivers that provide generic functionality for a particular device class, such as USB or audio devices. They are included with the operating system and are automatically installed when a compatible device is connected.

  • Kernel-Mode Driver Framework (KMDF): This is a framework for developing kernel-mode device drivers in Windows. It provides a set of libraries and tools to simplify driver development and ensure compatibility with the operating system.

  • User-Mode Driver Framework (UMDF): This is a framework for developing user-mode device drivers in Windows. It provides a set of libraries and tools to simplify driver development and ensure compatibility with the operating system.

  • WDF Filter: This is a filter driver that can be used with KMDF or UMDF to add additional functionality to a device driver. It can intercept and modify I/O requests to a device and can be used for tasks such as monitoring or filtering network traffic.

  • Windows Display Driver Model (WDDM): This is a driver model for graphics devices in Windows. It provides a standard interface for communicating with graphics hardware and allows for features such as hardware acceleration and multiple display support.

  • Storage Class Drivers: These are drivers that provide functionality for storage devices such as hard drives, optical drives, and flash drives. They are included with the operating system and are automatically installed when a compatible device is connected.


Linux EDR Architecture:

  1. Endpoint Agents: EDR agents are installed on endpoint systems to collect system and user activity data.

  2. Data Processing: The data collected by EDR agents is sent to a central data processing server for analysis and storage. The server can be deployed on-premise or in the cloud.

  3. Threat Detection: The processed data is analysed using machine learning and other detection techniques to identify potential threats and suspicious activity.

  4. Response and Remediation: Once a threat is detected, EDR systems can take action to contain the threat and remediate the affected systems. Actions can include isolating the endpoint, killing malicious processes, or rolling back system changes.


Mac EDR Architecture:

  1. Endpoint Agents: EDR agents are installed on endpoint systems to collect system and user activity data.

  2. Data Processing: The data collected by EDR agents is sent to a central data processing server for analysis and storage. The server can be deployed on-premise or in the cloud.

  3. Threat Detection: The processed data is analyzed using machine learning and other detection techniques to identify potential threats and suspicious activity.

  4. Response and Remediation: Once a threat is detected, EDR systems can take action to contain the threat and remediate the affected systems. Actions can include isolating the endpoint, killing malicious processes, or rolling back system changes.




Options: There are different EDR tools and platforms available for Windows, Linux, and Mac, including:

Anti-Malware protection
  1. Carbon Black: Offers a range of EDR capabilities, including endpoint detection, response, and remediation.

  2. CrowdStrike: Provides cloud-based EDR solutions for Windows, Linux, and Mac operating systems.

  3. Symantec Endpoint Detection and Response: Provides advanced threat detection and response capabilities for Windows and Mac endpoints.

  4. SentinelOne: Offers AI-powered EDR solutions for Windows, Linux, and Mac operating systems.

  5. McAfee Endpoint Security: Provides endpoint detection, response, and remediation capabilities for Windows, Linux, and Mac endpoints.

  6. We can also combine Windows Defender and Velociraptor to make it a cost effective solution.

Each of these EDR solutions has its own architecture, features, and capabilities, so organizations should evaluate their specific needs and requirements before selecting a solution.



392 views0 comments

Comentarios

Obtuvo 0 de 5 estrellas.
Aún no hay calificaciones

Agrega una calificación
bottom of page