fbpx

endpoint-detection-and-response-edr

Endpoint Detection and Response (EDR)

We are a leading service solutions provider and are officially an appointed distributor for eScan in Singapore market.

We selectively partner with market leading vendors who are established in their respective domains.

Your network security is as strong as your least secure endpoint. Even a single endpoint left unsecured will increase your network’s vulnerability. To strengthen your network security, you need to secure each and every endpoint. And only via this way, you can reduce cyberattack risks.

A cybercriminal uses following ways to conduct a cyberattack:

  • Launch scripts and executables that download malicious playload or run other malicious programs
  • Run malignant scripts without user’s knowledge in the background
  • Make a program violate its rights and escalate permissions for suspicious activities

 

 

If unruly behavior is observed across genuine programs, they are assumed malicious as they can get manipulated by malware. In such situations, Boundary Protection Rules can contain all the threats and strengthen your network’s safety.

You can use the Safety Check/Audit Mode to analyse how the Boundary Protection Rules (surface attack detection) can improve your network security, if enabled. To ensure your network isn’t jeopardized, always audit events generated by Boundary Protection Rules. This way you can understand how all of your applications are getting affected.

Not all genuine applications are developed with maximum security concerns and may appear as if they are executing the same behaviour as malware. By observing the Safety Check Report, you can add security exclusions for genuine applications and apply Boundary Protection Rules to your network, without slowing down endpoint performance.

Whenever a boundary protection rule is violated, an alert will be sent to the administrator. You can configure the Alert Settings for multiple recipients, as per your requirements. To ensure maximum protection, you need to deploy a full eScan Enterprise EDR license, which lets you use full capabilities of EDR including Monitoring, Statistics, and workflows available in the eScan Enterprise EDR.

The eScan dashboard will display complete EDR activity across your network. You can also download and export the EDR reports to observe actions taken by Boundary Protection Rules.

Looking for Benefits? Here they are!

Broad Overview

eScan is equipped with advanced technologies for comprehensive threat protection to eliminate zero day attacks. These technologies are based on proactive detection using intelligent sandboxing, active monitoring and continuous process review. The administrator can deploy policies to secure and manage network endpoints centrally from the management console. In case of virus outbreaks, outbreak prevention policies can be deployed to restrict access of network resources from selected computer groups for a defined period of time.

eScan’s Endpoint Detection and Response (EDR) Solution offers detection mechanisms with combinations of behavioral indicators that are able to detect and block attackers’ tools, techniques and procedures. It is capable of alleviating fileless malicious activities that use memory exploits and take advantage of Windows utilities such as MSTSC, CMD,and PowerShell.

eScan empowers enterprises with advanced features for identifying and securing all critical data at rest or in motion. It minimizes the risk of data loss with its advanced features for application and device control as well as data leak prevention at Endpoint, Network or Mail Gateway level. eScan is equipped with features such as Block Port Scan attempt, USB Whitelisting, Disable Print Screen, Block File transfer through Messenger, Print Activity Management, File and Folder Protection and Advanced two way Firewall for managed endpoints.

The Two-Factor Authentication (2FA) is an extra layer of security to make sure that users trying to gain access to the endpoints are legitimate users. An one-time password (OTP) will be sent to the user for logging in.

Remote Monitoring and Management (RMM), is a Remote Desktop and Screen Sharing feature that helps Managed IT Service Providers (MSPs) remotely monitor and control all client endpoints from a centralized console. The RMM feature can be used to carry out tasks such as installing updates, patching and service configurations on the client’s systems. All of the above mentioned tasks and many more can be performed remotely (rather than on-site) and save valuable time of Enterprises and Small and Medium Businesses (SMBs).

eScan’s EPP is equipped with features for real time event capturing, notifications and alerts that allows the administrator to control suspicious activity on the endpoints. It has features for web protection and application control that facilitates filtering of websites and applications based on pre-defined categories to prevent any unproductive usage, thus enhancing employee productivity.

The comprehensive Software and Hardware Asset Management feature of eScan’s EPP captures detailed inventory records of managed endpoints. This feature will help the administrator in keeping a track and control over IT assets maintained by enterprises.

eScan is equipped with tools to capture live events from managed endpoints and publish it on eScan management console. These events are automatically categorized on the basis of event severity, computer selection, asset changes or policy violation. It provides real-time event management that provides a holistic view of an enterprise network security aimed towards enhancing business continuity. The administrator is notified via email on occurrence of any violation. In case if malware count on any computer is higher than the defined limit, an email notification helps in monitoring and controlling the security.

eScan is equipped with advanced features to protect and track critical data stored on managed endpoints or shared within network. Some of the key features are File and Folder Protection, File Rights for local and remote access permissions, Tracking flow of confidential information from end-points to external networks, eBackup with file encryption, and Shadow Copy. All these features allow the administrator to secure and permit authorized access to the data stored on the endpoints in the network. Alternatively, administrators can also track flow of data from creation, modification, deletion to transfer of the same to local, network or cloud resources. Real time events are captured and customized reports can be generated for auditing.

eScan is equipped with technologies to track user behavior at end-points related to use of applications, resources, login/logoff and cloud usage. With eScan Management console, the administrator can deploy policy for a single system in the network by defining policy criteria for a particular IP Address/ User / Machine name. eScan is also equipped with File Activity Monitoring, Session Activity Log, Real-time event management through Client Live Updater, AD Synchronization, and Customized Setup.

In recent times, ransomware attacks have increased manifold and they also have become stealthier than before. eScan EPP now boasts of the latest technological advancement “PBAE Technology” that blocks ransomware attacks and keeps enterprise networks safe and secure.

Features at a Glance

With unified management, enterprises do not have to worry about the security of diverse endpoints across hybrid networks. eScan EPP provides a client that is administered via a centralized management console on to the endpoints with Windows, Mac, Linux, and Android Platforms in the network. This simplifies security administration and provides operational efficiencies such as centralized deployment, reporting and licensing module.

eScan EPP helps in monitoring and securing critical data to prevent any kind of data leak or data theft from managed endpoints in the network. It allows the administrator to whitelist or blacklist USB and other storage devices, allow or block access to devices such as webcams, CD-ROMs, Composite devices, Bluetooth devices, SD Cards or Imaging devices. Authorized access to such devices can be provided using One Time Password without violating policy deployed to the group. A sub-feature under device control enables to send notifications to the administrator when any data (which is not read-only) on the client system’s hard disk is copied to the USB.

eScan EPP allows creating list of applications that the administrator wishes to block from installation or execution on endpoints in the network. This helps in improving the productivity of the employee by blocking the execution of unproductive applications, Instant Messengers and gaming applications. It also allows or blocks fake and malicious applications in the network.

Administrators can define and deploy the policy through Management Console on to the endpoints. It also allows to whitelist applications or define time restrictions for allowing or blocking execution of applications on endpoints.

Considering that in today’s scenario, there is always a possibility of data breach and data theft via network printers or chances of printouts being left unattended at printing devices, eScan EPP allows administrators to keep track of printing activities that takes place through managed endpoints either through network printers or through PDF writers. Such events are captured and published on the Management Console in Print Activity Report.

Following logs are maintained and can be exported to PDF, Excel or HTML formats

  • Number of copies printed
  • Document name of the printed file
  • Date on which print was taken (client machine)
  • Machine name
  • Username of the computer and its IP address

eScan EPP is equipped with two way firewall that is designed to prevent unauthorized access to a computer or network that is connected to the internet. It enforces a boundary between two or more networks by implementing access policies (rules). Administrators can set rules to control incoming network traffic to and from managed end-points. The firewall checks the rules and analyzes the network packets and filters it. If the packets fulfill the criteria to be allowed as defined in the rules, they are allowed to pass through or else discarded. Administrator can customize the pre-defined rules or define new rules as per security needs.

It is important to keep an eye on the IT assets of the endpoints connected to the enterprise network. This feature helps to track and control the changes in the endpoints made by users for any unauthorized software or hardware which could be a potential threat to the network. It provides the software licensing details for Microsoft Products and allows the administrator to filter reports on any desired criteria.

Whenever there is any change in the hardware configuration, or any new software is installed on the managed endpoints, the administrator is notified. Captured information can be exported to PDF, Excel or HTML formats.

There is a need for a real-time protection to endpoints from objectionable content and security threats, such as ransomware, viruses, spyware, adware, key loggers, rootkits, botnets, hackers, spam, and phishing. eScan Cloud Security ensures a prompt response and an advanced level of detection that provides superior protection.

It ensures real-time protection against advanced malwares such as worms and Trojans by blocking the threat before it damages endpoints. It automatically analyzes, classifies, detects and quarantines 99% of new malwares discovered every day in real-time.

Web pages with links to malicious applications pose biggest risks to enterprises that results in compromising critical data, damage or expose sensitive information. These links appear to be safe but are designed to cause damage to the enterprise data. In other words, the web is increasingly being used to quickly distribute malware and evade traditional security programs.

eScan EPP will block malicious websites/URLs that could be unknowingly serving malware. Malware URL Filter strengthens endpoints and helps to effectively mitigate loopholes through which unknown malware enters into end-points & networks via the cloud.

eScan EPP enables you to share the security configuration and monitoring responsibilities for the enterprises among sub-administrators using eScan management console. This feature facilitates the administrator to assign sub-administrators with pre-defined roles, each with its own set of rights, permissions and groups. One or more senior administrators can have full configuration privileges for all endpoints while junior administrators can have few configuring or monitoring authorities as defined by the senior administrator in management console.

This feature is helpful to detect the misuse of the computer at a specific time when authorized user is not using the endpoint. Remote activity can be tracked down to the user through remote logon details captured in the report. eScan Management Console monitors and logs the session activity of the managed computers. It will display a report of the network endpoints startup/ shutdown/logon/logoff/remote session.

The log report also captures following details:

  • Login or remote sessions
  • Computer name
  • Group name
  • IP address
  • Description of the activity

It also allows the administrator to filter the report on desired criteria. Generated reports can be exported in PDF, Excel or HTML formats.

eScan monitors and logs the file activity of the managed endpoints. It will display a report of the files created, copied, modified, or deleted for the administrator to trace the file activities on all the managed endpoints. Additionally, unauthorized access of critical files can be tracked down to the user through the details captured in the report.

Taking regular backup of critical files stored on the managed endpoints is very important, as it can be lost or damaged due to issues such as virus outbreak, modification by a ransomware or another user. eScan will allow the administrator to take backup of important files and folders. It will also allow to schedule the backup process at a desired time and path to save the backup files locally or on an external hard drive or USB storage device. Administrators can create backup jobs by adding files and folders to schedule the backup process by creating tasks. The backed up data is stored in an encrypted format in a folder secured by eScan’s real-time protection.

eScan allows you to create customized client setup with pre-defined Policy Template. This allows you to implement group policies to the endpoints automatically when this customized eScan Client is installed on the endpoint manually or remotely. The major benefit of this feature is that even if the endpoint does not connect to the eScan server, the Policy template will be applied on to the endpoint through customized eScan Client installed on the endpoint. On installing this customized setup, the endpoint will be automatically moved to the pre-assigned group.

eScan’s password protection restricts user access from violating a security policy deployed in a network. For example, the administrator has deployed a security policy to block all USB devices, but someone wants to access it for a genuine reason, such as making a sales presentation residing on a USB pen drive. Administrator can give access to the user without violating the current security policy using OTP for a desired period of time on that endpoint. This will disable the module for the defined time period without violating existing policy.

This option will allow the administrator to check the vulnerability of the software installed on endpoints in the network for any kind of weakness that can be used by the attacker to gain access to the information stored on the endpoints. Using Vulnerability Scanner module of eScan, you can easily update the listed software with the more secured version of the same.

eScan checks the endpoints for missing patches on the OS by matching the installed patches with the released patch list. The missing critical Windows update patches are then downloaded and installed on the computer where eScan is running.

eScan employs combination of technologies to prevent spam. eScan’s Anti-spam filter scans content of received emails. It filters all junk and spam emails by using advanced technologies like NILP (Non – Intrusive Learning Pattern) and DIRC (Domain and IP Reputation Check) and sends warnings to recipient or the sender. It also provides options to customize the rules for filtering SPAM as per the organization’s requirement. It also helps to filter out zero-hour spam.

Enterprises empower employees by allowing use of mobile devices in the form of Company Owned Devices (COD) or implementing Bring Your Own Device (BYOD) policy for work operations. This enhances employee productivity and allows seamless business operations. eScan’s Enterprise Mobility Management (EMM) solution provides a comprehensive approach in safe guarding critical apps and enterprise data accessed or residing in mobile devices. It ensures that corporate data is secured from data loss, malware or unauthorized access.

eScan’s EMM is one of the most powerful security solutions available today to help organizations tide over the challenges of mobile devices (BYOD/COD) in their enterprise networks from a Unified Management Console.

These features are offered under following Categories

  • Mobile Threat Defense
  • Mobile Content Management
  • Mobile Asset Management
  • Mobile Application Management
  • Mobile Productivity Management
  • Mobile Identity

Additional Features of EDR

All Windows security events (unauthorized login attempts, RDP connections, and Policy changes) are monitored for behavioral changes, policy violations, and exceeding granted rights. These events are then forwarded to the server with secure protocols for threat analysis and storage.

All event logs are stored at a secured server and analyzed further for threats based on the malware type and corruption. They are checked against rule-based policies and regulations, then identified and categorized for security threat nature and level.

With Windows events and Threat Analysis, a deep RCA is carried out against detected and potential threats to identify its root cause. The RCA helps you identify the loose ends in your network and take effective action to mitigate threats before the threat takes over the network

All OS and application logs before, during, and after the threat detection are analyzed to pinpoint the critical events. Along with the reduced operational costs, this helps eScan improve real-time threat visibility, network safety, and time management.

This rule blocks the executables and script files that autorun quickly after opening an email.

  • Executable files (such as .exe, .dll, or .scr)
  • Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)

The malware can infect Office apps and manipulate them to run child processes. This rule blocks all office applications from creating child processes. The rule will block programs from running VBA macros, spawn commands, and Powershell to modify Registry Settings.

The Office apps can be used as a medium by malware and forced to save malignant files. These malignant files can avoid detection and reside on system to spread infection. This rule blocks all office programs from creating and saving a suspicious executable file, by blocking the malignant code from saving on the disk.

Cybercriminals can use programs to transfer malignant code into other process via code injection method, so the code appears completely genuine. This rule blocks programs from injecting code into other processes.

Running a malignant JavaScript or VBScript may download malicious payload or run other processes in background without the user’s knowledge. This rule blocks JavaScripts or VBScripts from running downloaded executable content.

To decrease script loading times or hide malicious code, cybercriminals obfuscate the scripts. As a result, malware easily avoids the detection by human eye and even cybersecurity solutions. This rule looks out for malicious code in an obfuscated scripts and upon detection blocks its execution.

With VBA macros, Office applications can make Win32 API calls. The malware can use this trick to their advantage and abuse Office apps to call Win32 APis and run malicious shellcode on endpoints without saving any data on the disk. This rule prevents VBA macros from calling win32 APIs.

All executable files on system are scanned for their genuineness. If the files appear as ransomware, this rule blocks those files from running. An exception can be made to specific files if added to an exclusion list.

Cybercriminals can steal NTLM hashes and cleartext passwords from Local Security Authority Subsystem Service (LSASS) by using hacking tools. This rule blocks credential stealing, by preventing access to the LSASS.

WMI and PsExec are capable of remote code execution. A malware can use this feature and run malicious commands on systems and infect an organization’s network. This rule blocks process creations from WMI and PsExec commands.

This rule blocks all untrusted and unsigned executables files (.exe, .dll, or .scr) from running from removable devices like USB drives and SD cards.

This rule blocks exploit code from abusing Outlook vulnerabilities and protects users from social engineering attacks. Additionally, the rule also protects users from forms exploits and outlook rules used by cybercriminals when a user’s credentials are leaked. Although this rule blocks Outlook from creating child process, it allows Outlook to perform genuine functions.

Via an exploit or social engineering, the malware can abuse Adobe Reader to download malicious payload and free itself from the program. This rule blocks all child processes from Adobe reader and thus reduces its chances of being used as a medium.

This rule prevents malware from abusing WMI to attain persistence on a device. If you have any doubts regarding the EDR, send an email to Enterprise support team at 

Contact Us to Find Out More Today!