Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Is It Ok To Install EDR Sensor On EDR Server Instance

EDR: Is It Ok To Install EDR Sensor On EDR Server Instance

Environment

  • EDR Server: All supported Versions
  • EDR Sensor: All supported Linux Versions

Question

Is It Ok To Install the EDR sensor On To EDR server Machine?

Answer

No, we don't recommend to install the EDR sensor on the EDR server machine, which might cause unexpected issues. 

Additional Notes

Though not every instance will be faced with critical issues, there is still a big chance of encountering unwanted issues under such deployment, if issue happens, the first thing should be disabling the sensor to allow EDR server back to working.

In order to reduce the chance of impact issues, the following instructions should be fully followed:
  • The server should be completely locked down from outside access. Only outside access should be port 443 for sensor communication. Port 443 goes through a certificate check and nginx reverse proxy to other services;
  • There should be limited access locally. The admin of the box and admin of the application to reduce activity/access on the box;
  • There should be no other applications installed on the box. This server is supposed to be dedicated to the EDR application only, this will reduce retention for the outside sensors. The server does a lot of writing as outside sensors take in data, along with the services being long running processes. Linux sensors are always the most chatty in every environment.
  • Any AV product installed should be excluding /var/cb/data directory to reduce performance decrease and the possibility of corrupting the cores if it touches an index being written in the writer core. 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎10-29-2020
Views:
771
Contributors