Advance Notice: EDR Linux Agent Update

Posted on October 31, 2022 by carlagajdecki

We are pleased to announce that Thursday November 3, the Endpoint Detection and Response (EDR) product will be releasing a new Linux agent. The Linux agent will see an update to 22.2 (22.2.2.2) from 21.10 SP1 (21.10.4.9). We strongly recommend upgrading these agents as soon as possible to provide the maximum level of protection available.

New and improved in Linux 22.2 (22.2.2.2):

Application Control Alert Suppression

Create path exclusions to suppress alerts from the Application Control engine only while the alerts from the Static and Dynamic AI engines are still enabled. Linux must be the operating system, Path is selected as Exclusion Type, and the Agent version is 22.2+.

Detection Enhancements

A number of detection enhancements have been added as of 22.2, this includes:

  • Cryptominer Activity – Detection of suspicious potential cryptominer invocation.
  • Pkexec privilege escalation – Alerts on attempts to exploit the PE vulnerability CVE-2021-4034 found in PKEXEC.
  • Cron job activity – Alerting on new, suspicious cron jobs added.
  • Ransomware detection – Improved the ransomware detection engine to detect encryption using common Linux utilities like openssl.
  • Extended reverse shell detection coverage.
  • Access to sensitive system files – New eBPF-based file read sensor allows the Agent to detect any read access to specific sensitive system files. The list of files is not configurable. The Behavioral Indicators that use this sensor are:
    • read_shadow (indicator name: ReadShadow) – reported when a process is accessing /etc/shadow
    • read_passwd (indicator name: ReadPasswdFile) – reported when a process is accessing /etc/passwd
    • read_ssh_private_keys (indicator name: ReadSSHKeys) – reported when a process is accessing to /.ssh/id_* files

Supported Distros Added

EDR Linux x86 Agent now supports; Ubuntu 22.04, RHEL 8.6/9.0, AlmaLinux 8.6/9.0, Fedora 36, RockyLinux 8.6, and OracleLinux 8.6.

Added Distro Support for SELinux in Enforcing Mode: SELinux Enforcing Mode is supported on RHEL 8.x and Oracle Linux 8.x endpoints.

New eBPF Improvements

To further improve Agent performance, we are using the Extended Berkeley Packet Filter (eBPF) to collect operating system telemetry events (where the OS supports it). eBPF features are gradually added over future Agent releases.

This is the eBPF feature of this Agent release: The perf provider is enhanced to use the eBPF framework to track execv and chmod events.

And More…

  • Static AI Engine Enhancement: The Static AI model has been updated for enhanced detection
  • Scanning Performance Enhancement: During full disk scan, the s1-scanner process filters irrelevant files before passing them to the s1-agent process to reduce the load on the s1-agent process.
  • Agent Restart Requirement Changed: Log severity change with policy override no longer requires Agent restart.

For the full list of Bug Fixes please see the Release Notes link below

For full details on all updates please check out our Release Notes: https://success.n-able.com/nc-edr-documentation/

This entry was posted in N-central, N-sight. Bookmark the permalink.