App Review Xcitium Advanced with OpenEDR Combined

[Victor M]

How is Kaspersky EDR. Their home AV is great so im curious about their Enterprise.

There is a trial version of Kasperky EDR Optimum. here: Kaspersky Endpoint Detection and Response Optimum | Kaspersky . I don't remember much of the portal interface right now, it was 2 / 3 months ago when I looked at it. Didn't you just get a new laptop? If so, you can test it on your old laptop.

 

[Xeno1234]

There is a trial version of Kasperky EDR Optimum. here: Kaspersky Endpoint Detection and Response Optimum | Kaspersky . I don't remember much of the portal interface right now, it was 2 / 3 months ago when I looked at it. Didn't you just get a new laptop? If so, you can test it on your old laptop.

I know the version people can get that arent in a actual business setup dont have the business's "Enhanced Anti-Malware "

 

[Victor M]

I know the version people can get that arent in a actual business setup dont have the business's "Enhanced Anti-Malware "

It is better that way, you don't want their sales team spamming your inbox incessantly, rushing you to make a purchase decision. Unless something has a very good reputation and I thus really really want to try it, then I give out my company's email address. I only have one business email address, and it is used for both internal mail and external mail. I prefer to keep it uncluttered.

EDIT: you can obtain a 'sole proprietor' business license at a very low cost in most states.

 

[Sandbox Breaker]

Update re: the red team guest Chinese hackers attack
They attacked a few days ago and used a network attack. It affected the LogonUI.exe of Windows, and I couldn't logon. Pretty deadly attack.

So, the solution was to make a containment rule to virtualize logonui.

Hint: don't be afraid to virtualize Windows executables. It is a good defense measure. Test the 'virtualize' containment rule. If it makes Windows malfunction, then change the rule to 'restrict' the windows exe. 'Virtualize' and 'Restrict' has the same effect but does it via different means. That's how the documentation explains it.

However, the current Comodo Internet Security Beta 2024 does not allow you to specify a virtualization rule to virtualize any Windows exe. I am using Xcitium OpenEDR's Comodo Internet Security and it can do that. I made a complaint about 2024 beta in the Comodo forum and they asked me to provide a screenshot, which I did. I explained that I am a current Xcitium EDR customer and if this the direction that their Internet Security is heading towards, then they need to change it. Hopefully they will make the modification.

Xcitium OpenEDR only costs $4 / month postpaid, first month is free. The cost is on par with most consumer AV's. And I encourge everyone to try it. Open EDR is better than Bitdefender EDR and Kaspersky EDR. I have evaluated both. If I weren't using Xcitium OpenEDR, there would be no solution to this attack, because most EDR's only solution is to 'Block', and one cannot block logonui -- Windows wouldn't function.

If you had set good firewall rules they wouldn't be able to connect to logonui. I've defender against many of these smb, RPC and other windows network attacks. Zero trust also needs to be applied on the network stack. I have doubts that your team actually succeeded.

 

[Victor M]

I have doubts that your team actually succeeded.

Firewalls obstruct only some hackers.

I saw logonui.exe appear on my Xclitium EDR alerts several times that day within a 2 hr time frame. Logonui had never showed up as an alert before. Xcitium generates alerts for suspicious invocations. The process tree is 5 levels deep, definitely not normal. And if I remember correctly, logonui does not normally show up in process explorer, after you logon, it quits. So the combination of logonui showing up as an Xcitium alert, and the fact that I could no longer logon (gives error msg) , on this test machine with no other software to create problems, I'd confidently say they have succeeded.

 

[Victor M]

Since this thread is on product reviews, I would like remind readers that there is No Such Thing as 100% perfect security. Technical defenses, which include firewalls, AV's, IPS etc can all be defeated given enough time and effort. And hackers have that advantage.

And then, take into consideration that this is a white box test - my red team ( and the guest ) knows exactly what defenses I have. And they correctly chose a Network based attack, without using any malware which would be virtualized by Xcitium OpenEDR.

An important defense layer is having backups. This is your last layer of defense. One must always have backups. And this attack on logonui is the perfect example, I can not login.

The solution is restore from image backup, and then vritualizing logonui.exe in Xcitium's Auto Containment Rules. The solution was simple, figured it out and completed in 20 mins.

The guest hacker then attacked again, and this time, the attack failed.

For those readers who are new, the red team and I play this game constantly. The aim is to find the holes in our security and then fix them, in preparation for the Real Thing.

I am adding this post to illustrate that Xcitium OpenEDR is configurable, and can be adapted to defend against new attacks. Xcitium OpenEDR s a nice tool. Other AV's defenses cannot be configured. The AV would let you choose what to scan, what to exclude etc, but you cannot add new definitions to it. You have to wait till the vendor adds a capabiltiy, so, in the mean time, when you are under attack, what do you do?

 

[Nikola Milanovic]

Machine Learning:Highly Suspicious

The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger

 

[lyldz]

I want to ask you something off-topic.

Will the interface get an update in 2024?



Or will it continue with the old interface from 2023 and before?

 

[Victor M]

I think the OpenEDR portal got an upgrade last Nov/Dec 2023. They seem to be constantly improving it. Last week, they released ver 13 of Xcitium Client Security / CIS , but, it does not officially support Win 11 23H2 yet.

 

[Nikola Milanovic]

The uploaded file looks like a malicious file
All detectors clean

 

[Xeno1234]

I have an interesting question.
If I paid Xcitium with another AV (like Kaspersky or Harmony), would the other AV’s BB work on things in containment?

 

[lyldz]

I think the OpenEDR portal got an upgrade last Nov/Dec 2023. They seem to be constantly improving it. Last week, they released ver 13 of Xcitium Client Security / CIS , but, it does not officially support Win 11 23H2 yet.

can you look at this..

I installed the app to give it a second chance and although EDR is active in the profile settings, the second picture shows it as inactive.

I uninstalled and reinstalled the plugin and my problem is not solved.edr is active under licenses now.it was also active in my first installation.

 

[Nikola Milanovic]

can you look at this..

I installed the app to give it a second chance and although EDR is active in the profile settings, the second picture shows it as inactive.

View attachment 280953

View attachment 280954



I uninstalled and reinstalled the plugin and my problem is not solved.edr is active under licenses now.it was also active in my first installation.

You use Xcitium nice but im sure the problem will be solved soon