Blog Viewer

EDR: What Known Modloads are Filtered when the Feature is Enabled?

By CB_Support posted Feb 03, 2021 06:15 PM

  

Environment

  • EDR: All Primary Servers
  • EDR: Sensors
    • Mac: All supported versions
    • Windows: All supported versions

Question

What 'known modloads' are filtered when the feature is enabled to improve performance and retention?
 

Answer

a) For Mac, the dyld_cache entries under /var/db/dyld.
b) For Windows, the known modloads filtered are listed in the registry: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

Additional Notes

  • Filtering known modloads can be enabled under Sensor Group Settings > Advanced.
  • Modloads from the KnownDLLs(Windows) and DYLD_Cache(macOS) will no longer be collected once enabled.
  • Enabling the known modloads filter should align with the company security policies.
  • Enabling the known modloads should reduce the overall size of future process docs and increase retention.
  • All other events are still collected, this setting should have marginal impact on the ability to perform detection.

Related Content



#EDR
0 comments
0 views

Permalink