I have played around with OpenEDR for about a week now.
Endpoint Detection and Response is good to have because it checks Event Viewer and filters out important events and raises Alerts for you.
When you first sign in, a dialog gives you the link to download the Connection Manager. Just install this and you are good. To install this you have to temporarily turn off Cyber Lock/VoodooShield - don't do this while online. The installation will finish with a notification that it did not successfully enroll - just reboot the PC and CyberLock will be active again and Connection Manager will still automatically enroll.
Then after you installed Connection Manager, Head over to Assets > Devices. Your PC name will appear in the list. Checkmark that and click on Install or Manage Packages, A pull down menu will give you the choice to Install Additional Xcitium Packages. Then Checkmark Xcitium Client Security and Xcitium Client EDR. I did not select to install Client Security, which is Comodo Internet Security, because MS Defender is just as good at detecting non-0day malware. Comodo Internet Security does have some nifty features like Auto Containment and HIPs. (host intrusion prevention) .
It will push install the packages you selected and reboot in 5 mins.
Then go to Assets > Devices. There you will see lines for each PC, with green icons for components you have installed.
Then you can look at Dashboard > Compliance. This will give a some nice graphs of the components active on each PC, number of malware encountered etc.
Now head over to Dashboard > Endpoints. There you will see Total Alerts. You can click on that number and it will bring you to Security > Alerts.
For each alert listed here, you can click on the > symbol on the left and it will expand it. After you have checked out each alert, you can checkmark it at the end of the line and click on Close Alert Button.
The kind of alerts I get are 'Binary executing from Temp directory' and 'Installation of driver' and ' 'Write to executable'. These happen to be important to me, as I have an exploited Bell modem and the attacker has a permanent PC in my LAN which I can't get rid of. And he can send over malware drivers. Thanks to the Alerts details, I have pinpointed a DrvInst.exe in Windows, and I have created a WDAC block rule to stop it from executing (Windows Defender Application Control Wizard) .
If you want to see more details of an Alert. Expand the > and copy the adaptive_event_type (including the quotes) . Then click on Security > Investigate. Then for Query Fields, you click on the blue button besides Adaptive Event Name. Then click on the query line and paste in the event and click Search. In the search results, you will then get to see the Process Parent.
If you want to opt out of some Comodo Internet Security, like the firewall. You can go to Assets > Configuration Templates. It will bring you to the Profiles page. Click Create, and select Create Windows Profile.
Then go to Assets > Devices and click on the PC name ( not Checkmark the box ) Then click on Manage Profile. Then Add Profile. Checkmark the profile and click Add.
Now go back to Assets > Devices. Click on the PC name and click on Manage Profile. Then click on the profile name. There you will see menu items listed for Client Access Control, Firewall, HIPs and Containment. Click on the one you want to change/disable/enable, make your changes and click Save.
In the Firewall section, you can also change the firewall rules.
Note that the Auto Containment is by default OFF, you can change that in the Containment section.
Client Access Control has a setting on the bottom to Allow user to Override profile configuration, which could be helpful if you want to disable Comodo Internet Security features on the client PC instead of thru OpenEDR.
Because OpenEDR only keeps logs for 3 days, I would keep it open in your browser, maybe pin it if you use Firefox. I trust you will look at Dashboard > Endpoint > Total Alerts every day to address alerts as they arrive.
Another good thing about this OpenEDR is that you can't delete any alerts. Even if it is a closed alert it will remain visible. Thus an attacker who has your OpenEDR password cannot delete an alert from you.
Also in Security > Alerts, you can change the query by choosing a 'Mitre Tactic'.and clicking Apply button. Mitre Att&ck is a comprehensive attack categorizing scheme and list known hacker tactics and various means of accomplishing them.
MITRE ATT&CK®
Do you have an exploited modem? These exploits have been around for several years, And I have seen it at work for both DSL and cable modems. You will never know for sure until you have done an nmap for your home LAN. After all, you think you can just walk around the house and count network devices but you never thought of doing a scan for unknown devices.
www.openedr.com
github.com
