EDR: Is It Ok To Install EDR Sensor On EDR Server Instance
EDR Server: All supported Versions
EDR Sensor: All supported Linux Versions
Is It Ok To Install the EDR sensor On To EDR server Machine?
No, we don't recommend to install the EDR sensor on the EDR server machine, which might cause unexpected issues.
Though not every instance will be faced with critical issues, there is still a big chance of encountering unwanted issues under such deployment, if issue happens, the first thing should be disabling the sensor to allow EDR server back to working.
In order to reduce the chance of impact issues, the following instructions should be fully followed:
The server should be completely locked down from outside access. Only outside access should be port 443 for sensor communication. Port 443 goes through a certificate check and nginx reverse proxy to other services;
There should be limited access locally. The admin of the box and admin of the application to reduce activity/access on the box;
There should be no other applications installed on the box. This server is supposed to be dedicated to the EDR application only, this will reduce retention for the outside sensors. The server does a lot of writing as outside sensors take in data, along with the services being long running processes. Linux sensors are always the most chatty in every environment.
Any AV product installed should be excluding /var/cb/data directory to reduce performance decrease and the possibility of corrupting the cores if it touches an index being written in the writer core.