Environment
- EDR: All Primary Servers
- EDR: Sensors
- Mac: All supported versions
- Windows: All supported versions
Question
What 'known modloads' are filtered when the feature is enabled to improve performance and retention?
Answer
a) For Mac, the dyld_cache entries under /var/db/dyld.
b) For Windows, the known modloads filtered are listed in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Additional Notes
- Filtering known modloads can be enabled under Sensor Group Settings > Advanced.
- Modloads from the KnownDLLs(Windows) and DYLD_Cache(macOS) will no longer be collected once enabled.
- Enabling the known modloads filter should align with the company security policies.
- Enabling the known modloads should reduce the overall size of future process docs and increase retention.
- All other events are still collected, this setting should have marginal impact on the ability to perform detection.
Related Content
