Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: What Known Modloads are Filtered when the Feature is Enabled?

EDR: What Known Modloads are Filtered when the Feature is Enabled?

Environment

  • EDR: All Primary Servers
  • EDR: Sensors
    • Mac: All supported versions
    • Windows: All supported versions

Question

What 'known modloads' are filtered when the feature is enabled to improve performance and retention?
 

Answer

a) For Mac, the dyld_cache entries under /var/db/dyld.
b) For Windows, the known modloads filtered are listed in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

Additional Notes

  • Filtering known modloads can be enabled under Sensor Group Settings > Advanced.
  • Modloads from the KnownDLLs(Windows) and DYLD_Cache(macOS) will no longer be collected once enabled.
  • Enabling the known modloads filter should align with the company security policies.
  • Enabling the known modloads should reduce the overall size of future process docs and increase retention.
  • All other events are still collected, this setting should have marginal impact on the ability to perform detection.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-03-2021
Views:
444
Contributors