[vladvasiliu]

Do these actually work?

We've got one of those at work, and the most visible effect is it makes me feel like driving around with the handbrake on.

Then, every so often, it'll flag the code I'm working on as "malicious". It's pretty basic glue stuff, and launching the executable in their sandbox usually turns up nothing. Sure, I can add an exception for what I'm working on and my tools so it doesn't scan rustc every time it runs. But exceptions can only be paths. Aren't we lucky that bad guys would never ever overwrite the files I've excluded.

When we first started deploying it, I wrote a quick and dirty cryptolocker. Reading files and rewriting their content encrypted in AES. Didn't take any evasive action, just traverse directories and fetch all the files. I even went out of my way to do it multi-threaded, so I wouldn't have to wait too long while testing. Sure enough, it flagged my test-crypto.exe as suspicious. But I guess I'm not enough of threat, since I've tried renaming it to meh.exe and, wouldn't you know it, I could happily encrypt my own home folder without any bother.

So I'm still not fully convinced these aren't just like the antivirus of old, only with a different name.

[jabroni_salad]

Yes, I have operated carbon black, huntress, and crowdstrike and they all work very well at stopping real attacks. You are always going to have edge cases, but there's a lot of power in being able to roll back anything even if it wasn't initially blocked. Within a few minutes of badstuff.exe being flagged I can have a graph of everything it's ever touched, how it got there, say with certainty if consumer data was impacted, and know everything that was exfiltrated. We can go back to patient zero and see everything that it branches out to and freeze every iteration of it out of the network instantly. And it's easy, you used to be down for weeks and hire a DFIR firm to puzzle it out. Now it's a button.

[vladvasiliu]

> there's a lot of power in being able to roll back anything even if it wasn't initially blocked. Within a few minutes of badstuff.exe being flagged I can have a graph of everything it's ever touched, how it got there, say with certainty if consumer data was impacted, and know everything that was exfiltrated.

I can certainly see the value in that.

But does that work when the threat is actually "new"? Say, some badstuff.exe managed to run and do its thing without being flagged by the EDR. Somehow you found out about it, say on another box. Can you investigate a posteriori how it got on the initial box and what it did there?