Knowledge Base

  • Private Community
  • Private Community
 View Only

EDR: Sensors sending thousands of tamper events with few alerts

By CB_Support posted Apr 07, 2021 11:40 PM

  

Environment

  • EDR Server: 7.x
  • EDR Sensor: 6.x 
  • Microsoft Windows: All Supported Versions

Symptoms

Server logs indicate sensors are sending thousands of ksubmits, but only a handful of tamper alerts are generated

Cause

Unknown noise sent from older sensor versions

Resolution

Upgrade to sensor version 7.x or higher

Additional Notes

  • Many improvements to tamper events have been made in the 7.x sensor and server versions. 
  • Tamper events are shown as ksubmits in Nginx access logs. 
  • If receiving alerts for all events, tamper events could be related to a third party AV scanner

Related Content



#HostedEDR
0 comments
0 views

Permalink