Environment
- EDR Server: 7.x
- EDR Sensor: 6.x
- Microsoft Windows: All Supported Versions
Symptoms
Server logs indicate sensors are sending thousands of ksubmits, but only a handful of tamper alerts are generated
Cause
Unknown noise sent from older sensor versions
Resolution
Upgrade to sensor version 7.x or higher
Additional Notes
- Many improvements to tamper events have been made in the 7.x sensor and server versions.
- Tamper events are shown as ksubmits in Nginx access logs.
- If receiving alerts for all events, tamper events could be related to a third party AV scanner
Related Content
#HostedEDR