Environment
- EDR Server: All Versions
- EDR Sensor: All Versions
Question
Does the EDR sensor collect binaries from executables on the machine if they have not exectuted?
Answer
No, the sensor does not scan for inventory on the endpoint. It only listens for events happening live on the box. A malicious file can exist on the endpoint, but it will not be seen until it executes. At the time of execution the sensor will report the binary metadata and collect the physical binary for download.
Additional Notes
- A malicious file created by another process while the sensor is installed could be seen through a filemod search. However, since it has not executed the binary metadata on the file does not exist. Only executables are collected.