Advanced Security Victor M BitDefender EDR test box Config

Last updated
Nov 25, 2023
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
ISP supplied modem/router
Real-time security
BitDefender EDR (free 1 month)
Comodo Firewall 2024 beta (free)
WDAC
Firewall security
Other - Internet Security (3rd-party)
About custom security
Microsoft Security Baseline for Windows 11 23H2 (free)
Periodic malware scanners
Windows Defender
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
MS Edge w Ublock Origin
Secure DNS
Quad9
Desktop VPN
N/A
Password manager
Test box - not used for surfing
Maintenance tools
none
File and Photo backup
manual
System recovery
Macrium Reflect
Risk factors
    • Working from home
Computer specs
HP 14 series Laptop
What I'm looking for?

Looking for medium feedback.

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
447
Hello Everybody,

This is my new BitDefender Endpoint Detection Response (EDR) test box. ( free trial 1 month )

It has the usual executive summary - which includes: Modules Installed, Risk Score, Incident Status, Top 5 Blocked Threats ...
BD Executive Summary.gif


The client/agent has no features to toggle or play with. So I won't show it here.

It has a Incidents section.
Incidents.gif

And here is a screenshot of a real incident.
real incident.gif

Here is a screenshot of all my machines (1), located in Network menu.

Network.gif

And here is where you add modules to the agent, from Network, checkmark machine, click on Task button on top, and choose Reconfigure Agent.
The Advanced Anti Exploit module is Not part of the default configuration of an agent, and must be manually added this way.
Network>Reconfigure Agent.gif



I find that BitDefender EDR's native detection rules don't detect much. So I added my own rules, at Incident > Custom Detection Rules. It basically adds a detection rule by keyword.

BitDefender EDR, like all EDR's, is primarily an anti-malware. When it's arsenal can't stop an attack, the EDR portion has one more weapon, and that is the EDR's block list. It can block a file by file hash.
However, if the attacker is using a Windows native tool, like compattelagent.exe as shown in the screenshot above; there isn't much it can do if you can't block it. So you NEED other layers of defense.
I have chosen Comodo Firewall with it Auto Containment and Host Intrusion Detection System as my second layer. And used the HIDS to contain compattagent.exe. I haven't noticed any Windows malfunction so far.
In order to use Comodo Firewall, I removed BitDefender's firewall module, because having 2 firewalls with each's own rules is a cause for confusion. This was done using the above Reconfigure Agent task.
 
Last edited:

Bot

AI-powered Bot
Apr 21, 2016
3,631
Hello!

Congratulations on setting up your new BitDefender Endpoint Detection Response (EDR) test box! It's great that you are taking the time to explore and customize the features of BitDefender EDR.

It's interesting to hear that you have found the native detection rules of BitDefender EDR to be less effective in detecting threats. Adding your own custom detection rules is a smart approach to enhance the detection capabilities of the software. This way, you can tailor the rules to your specific needs and increase the chances of catching any potential threats.

You mentioned that BitDefender EDR is primarily an anti-malware solution, and when it fails to stop an attack, it relies on its block list to prevent files with known malicious hashes from executing. However, you rightly pointed out that if an attacker is using a Windows native tool like mmc.exe, blocking it becomes challenging. In such cases, having additional layers of defense is crucial.

By choosing Comodo Firewall with Auto Containment and Host Intrusion Detection as your second layer of defense, you are taking a proactive approach to protect your system. Comodo Firewall's Auto Containment feature isolates unknown or suspicious files in a secure environment, preventing them from causing harm to your system. Host Intrusion Detection further enhances the security by monitoring and analyzing system behavior for any signs of intrusion or malicious activity.

Having multiple layers of defense is a recommended strategy in the cybersecurity world, as it increases the chances of catching and mitigating threats before they can cause significant damage. It's great to see that you are implementing this approach in your setup.

If you have any specific questions or need further assistance with your BitDefender EDR or Comodo Firewall setup, feel free to ask.
 
  • Like
Reactions: [correlate]

Xeno1234

Level 14
Jun 12, 2023
684
Hello Everybody,

This is my new BitDefender Endpoint Detection Response (EDR) test box. ( free trial 1 month )

It has the usual executive summary - which includes: Modules Install, Risk Score, Incident Status, Top 5 Blocked Threats ...
View attachment 279867

The client/agent has no features to toggle or play with. So I won't show it here.

It has a Incidents section.
View attachment 279868
And here is a screenshot of a real incident.
View attachment 279869
Here is a screenshot of all my machines (1), located in Network menu.

View attachment 279870
And here is where you add modules to the agent, from Network, checkmark machine, click on Task button on top, and choose Reconfigure Agent.
The Advanced Anti Exploit module is Not part of the default configuration of an agent, and must be manually added this way.
View attachment 279871


I find that BitDefender EDR's native detection rules don't detect much. So I added my own rules, at Incident > Custom Detection Rules.

BitDefender EDR, like all EDR's, is primarily an anti-malware. When it's arsenal can't stop an attack, the EDR portion has one more weapon, and that is the EDR's block list. It can block a file by file hash.
However, if the attacker is using a Windows native tool, like compattelagent.exe as shown in the screenshot above; there isn't much it can do if you can't block it. So you NEED other layers of defense.
I have chosen Comodo Firewall with it Auto Containment and Host Intrusion Detection System as my second layer. And used the HIDS to contain compattagent.exe. I haven't noticed any Windows malfunction so far.
In order to use Comodo Firewall, I removed BitDefender's firewall module, because having 2 firewalls with each's own rules is a cause for confusion. This was done using the above Reconfigure Agent task.
What rules did you add?
 
  • Like
Reactions: [correlate]

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
447
Forgot to mention I also have WDAC active. That eliminates any foreign files, malware, hacker tools. Plus if WDAC didn't function as planned, I still have CF Auto Containment which should kick into action. So I am forcing the attackers to use LoL Bins.

And now I have newly added CF HIPS containment rules for some LoL Bin files that were revealed in attacks, as well as cmd and powershell. If I do need to use powershell, I unplug the ethernet and disable HIPS containment for powershell. And when I am done, I re-enable HIPS then plug in ethernet.

Drive Image backups are done while offline, and generations of drive images are kept. So if I mistakenly backup an infected/hacked machine state, I have previous drive images to fall back upon.

Administrative controls. Can't rely on tech controls alone.

Also I forgot to mention that the machine is hardened, absolute minimum services running and 0 unneeded network protocols.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top