Serious Discussion Comodo Endpoint Detection and Response (EDR) is now open source!

vaccineboy

Level 3
Thread author
Verified
Well-known
Sep 5, 2018
125
Melih, Comodo's CEO, has just announced Comodo Endpoint Detection and Response (EDR) is now open source.

Deploy Free Open EDR® To:​

  • Enable continuous and comprehensive endpoint monitoring
  • Correlate and visualize endpoint security data
  • Perform malware analysis, anomalous behavior tracking, and in-depth attack investigations
  • Enact remediations and harden security postures to reduce risk on endpoints
  • Stop attempted attacks, lateral movement, and breaches
The creators of Open EDR® steadfastly believe that Endpoint Detection Response should never be accessible only to the privileged, and that a fundamental cybersecurity stack must become a right. By offering this innovative source code for free, all financial barriers to expensive EDR solutions are eliminated, and this foundational technology is recast as a bona fide ‘right.' Claim your right to Open EDR® security today.
OpenEDR is free and its source code is open to the public. OpenEDR allows you to analyze what’s happening across your entire environment at the base-security-event level. This granularity enables accurate root-causes analysis needed for faster and more effective remediation. Proven to be the best way to convey this type of information, process hierarchy tracking provides more than just data, they offer actionable knowledge. It collects all the details on endpoints, hashes, and base and advanced events. You get detailed file and device trajectory information and can navigate single events to uncover a larger issue that may be compromising your system.

OpenEDR’s security architecture simplifies breach detection, protection, and visibility by working for all threat vectors without requiring any other agent or solution. The agent records all telemetry information locally and then will send the data to locally hosted or cloud-hosted ElasticSearch deployments. Real-time visibility and continuous analysis are vital elements of the entire endpoint security concept. OpenEDR enables you to perform analysis into what's happening across your environment at base event level granularity. This allows accurate root cause analysis leading to better remediation of your compromises. Integrated Security Architecture of OpenEDR delivers Full Attack Vector Visibility including MITRE Framework.
Now I don't fully comprehend the significance of EDR as well as this event. Will it benefit home users in anyway?
Hopefully everyone can chime in. Cheers!
 
F

ForgottenSeer 98186

F

ForgottenSeer 97327

It seems they are using their free EDR as a marketing instrument for their endpoint protection software. It has a lot of predefined rules to get alerts in the EDR console. Entertaining video of Xcitium. In Gartner reports it seems that Comodo had a hard time in the <50 million company size market. Few big names (Microsoft, McFee and Symantec) and a few Customer's choice players (like Trend Micro, Sophos, CrowdStrik, SentenilOne and ESET) dominated that market segment. The medium liked/endorsed players, which are second tier in that segment, are big names in the antivirus-network-server-(hardware)firewall players.This fremium strategy could bring them in range with other third-tier players in that segment like MalwareBytes, Panda and WebRoot.

1675668910942.png

Let's hope for the fanboys and fangirls, that this change of strategy pays off, otherwise the announced updates in the "Comodo rise from the dead" thread. might well be Comodo's last convulsion.
 
Last edited by a moderator:

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
343
I have played around with OpenEDR for about a week now.

Endpoint Detection and Response is good to have because it checks Event Viewer and filters out important events and raises Alerts for you.

When you first sign in, a dialog gives you the link to download the Connection Manager. Just install this and you are good. To install this you have to temporarily turn off Cyber Lock/VoodooShield - don't do this while online. The installation will finish with a notification that it did not successfully enroll - just reboot the PC and CyberLock will be active again and Connection Manager will still automatically enroll.

Then after you installed Connection Manager, Head over to Assets > Devices. Your PC name will appear in the list. Checkmark that and click on Install or Manage Packages, A pull down menu will give you the choice to Install Additional Xcitium Packages. Then Checkmark Xcitium Client Security and Xcitium Client EDR. I did not select to install Client Security, which is Comodo Internet Security, because MS Defender is just as good at detecting non-0day malware. Comodo Internet Security does have some nifty features like Auto Containment and HIPs. (host intrusion prevention) .

It will push install the packages you selected and reboot in 5 mins.

Then go to Assets > Devices. There you will see lines for each PC, with green icons for components you have installed.

Then you can look at Dashboard > Compliance. This will give a some nice graphs of the components active on each PC, number of malware encountered etc.

Now head over to Dashboard > Endpoints. There you will see Total Alerts. You can click on that number and it will bring you to Security > Alerts.
For each alert listed here, you can click on the > symbol on the left and it will expand it. After you have checked out each alert, you can checkmark it at the end of the line and click on Close Alert Button.
The kind of alerts I get are 'Binary executing from Temp directory' and 'Installation of driver' and ' 'Write to executable'. These happen to be important to me, as I have an exploited Bell modem and the attacker has a permanent PC in my LAN which I can't get rid of. And he can send over malware drivers. Thanks to the Alerts details, I have pinpointed a DrvInst.exe in Windows, and I have created a WDAC block rule to stop it from executing (Windows Defender Application Control Wizard) .

If you want to see more details of an Alert. Expand the > and copy the adaptive_event_type (including the quotes) . Then click on Security > Investigate. Then for Query Fields, you click on the blue button besides Adaptive Event Name. Then click on the query line and paste in the event and click Search. In the search results, you will then get to see the Process Parent.

If you want to opt out of some Comodo Internet Security, like the firewall. You can go to Assets > Configuration Templates. It will bring you to the Profiles page. Click Create, and select Create Windows Profile.
Then go to Assets > Devices and click on the PC name ( not Checkmark the box ) Then click on Manage Profile. Then Add Profile. Checkmark the profile and click Add.
Now go back to Assets > Devices. Click on the PC name and click on Manage Profile. Then click on the profile name. There you will see menu items listed for Client Access Control, Firewall, HIPs and Containment. Click on the one you want to change/disable/enable, make your changes and click Save.
In the Firewall section, you can also change the firewall rules.
Note that the Auto Containment is by default OFF, you can change that in the Containment section.
Client Access Control has a setting on the bottom to Allow user to Override profile configuration, which could be helpful if you want to disable Comodo Internet Security features on the client PC instead of thru OpenEDR.

Because OpenEDR only keeps logs for 3 days, I would keep it open in your browser, maybe pin it if you use Firefox. I trust you will look at Dashboard > Endpoint > Total Alerts every day to address alerts as they arrive.

Another good thing about this OpenEDR is that you can't delete any alerts. Even if it is a closed alert it will remain visible. Thus an attacker who has your OpenEDR password cannot delete an alert from you.

Also in Security > Alerts, you can change the query by choosing a 'Mitre Tactic'.and clicking Apply button. Mitre Att&ck is a comprehensive attack categorizing scheme and list known hacker tactics and various means of accomplishing them. MITRE ATT&CK®

Do you have an exploited modem? These exploits have been around for several years, And I have seen it at work for both DSL and cable modems. You will never know for sure until you have done an nmap for your home LAN. After all, you think you can just walk around the house and count network devices but you never thought of doing a scan for unknown devices.
 
Last edited:

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
343
I should add that hackers do not rely on malware that is detectable by common AV's. They test their tools against common AV's to make sure that they are not detectable before deploying them. So if you are relying on your anti-malware to stop hackers you will be defeated every time. My 'red team' has never used a tool that my various big name AV's could detect. Examples are remote access tools and windows features disruption tools. That is where an EDR like Comodo's OpenEDR comes in. Windows events record everything. It's just that the major AV's don't identify them as suspicious. But a human can see that something sticks out and shouldn't be happening. An example is a 'Write to executable' event (create exe) or a 'Binary executing from Temp directory' event happening when you did not install anything. AV's won't blink but a human will know something is wrong. And EDR's has the comprehensive Mitre Att&ck hacker tactics covered. It filters Windows events and raises Alerts for you to review and decide upon. Most importantly, it clues in that your defenses has a hole and you need to address it. If you are serious about security, you should have an EDR tool - it is an essential layer of defense.
 
Last edited:

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
343
One thing that OpenEDR did not advertise is that the Auto Containment works with their firewall. A contained/virtualized app cannot talk thru the firewall if the firewall is set to 'Safe Mode'. So a contained malware/hacking tool cannot communicate with the hacker.
 
F

ForgottenSeer 100397

I don't have experience with business products. Can you download and install Comodo Internet Security from the (Free) EDR console? If so, can you install only the Comodo Firewall? Is it possible to use Comodo Firewall Standalone (like the Home edition) on your system without the EDR console? For example, by disabling the console or policies, i.e., not using the console.

I tried, but it seems impossible.
 
Last edited by a moderator:

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
343
Hi @rhythm

You will have to install the Endpoint Manager first ( the first dialog box that gives you a link) . Then go to Assets > Devices, checkmark the PC, then click 'Install or Manage Packages', 'Install Additional Xcitium Packages'. Then checkmark install Client - Security. ( which is Comodo Internet Security) , it will be pushed to your PC. Then uninstall the Endpoint Manager from Programs and Features. From this point on, you won't need the console anymore.

Then after Comodo is installled, you can turn off the features you don't need, like HIPS.
 
Last edited:
F

ForgottenSeer 100397

@Victor M

Yesterday, I gave Comodo EDR a try. When I tried to uninstall Endpoint Manager from Programs and Features, it failed. So, I had to uninstall it from the console, which also uninstalled Client - Security.
 
  • Like
Reactions: Nevi

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
343
One thing that Auto Containment does NOT stop is Living off the Land attacks. Auto Containment fires up when there is a new unknown exe or when a rarely used Windows exe runs ( for example ROUTE.exe ) .

A Living off the Land attack uses native windows exe's and my red team used BitLocker to encrypt my drive image backup partition. So when I boot up the Macrium Rescue DVD, it could not read the backup partition rendering that backup useless. Of course, I had the image further backed up to my portable HDD so it wasn't a totally un-salvageable situation. So anyways, this illustrates the Living off the Land Attack concept.

@rhythm

You have to go to Assets > Configuration Templates. Clone the template you are using. ( maybe you are using the default template) Then click on the cloned template name and make it the Default. Then on the same page click on 'Add Profile Section' to add 'Client Access Control'. Modify that client access control and fill in all the passwords, and also checkmark 'Enable local users to override ...' at the bottom of the same client access control. Save the changes. After OpenEDR syncs with your PC, you will be able to uninstall Endpoint Manager when it asks for password; thus keeping Comodo Internet Security intact on your PC without any links to Xicitium.

My answer to the above Living off the Land attack was to block all instances of the BitLocker exe's using WDAC ( Windows Defender Application Control) . They reside in System32 and sub directories of WinSXS. You can also do it with SRP.
 
F

ForgottenSeer 100397

@rhythm

You have to go to Assets > Configuration Templates. Clone the template you are using. ( maybe you are using the default template) Then click on the cloned template name and make it the Default. Then on the same page click on 'Add Profile Section' to add 'Client Access Control'. Modify that client access control and fill in all the passwords, and also checkmark 'Enable local users to override ...' at the bottom of the same client access control. Save the changes. After OpenEDR syncs with your PC, you will be able to uninstall Endpoint Manager when it asks for password; thus keeping Comodo Internet Security intact on your PC without any links to Xicitium.
Yes, I didn't check the config. I'll make the changes when I use EDR again. Thank you!
 

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
343
"The whole point of EDR is for an admin to sit there and continually watch it:"

That's a point which I disagree with.
It becomes necessary to frequently monitor only when you sense you are under attack. When under hacker attack it is indispensable.

Also you are not paying extra for a tool which you don't frequently use - it has the price of an anti-virus. So why not have the extra capability for when you Do need it.

And most MalwareTips users think automatically of malware when something is wrong, when they may be really under a hacker attack. It's hard to tell unless you look into it. That's what an EDR enables you to do. "What you don't know is what you don't know".

So you learn, that's what we came here to do - learn security.
 
Last edited:
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top