[tgv]

It's stated in the article: "The standout red flag was that the unique machine name used by the individual was the same as one that we had tracked in several incidents prior to them installing the agent."

However, it's obvious that protection-ware like this is essentially spyware with alerts. My company uses a similar service, and it includes a remote desktop tool, which I immediately blocked from auto-startup. But the whatever scanner sends things to some central service. All in the name of security.

[boston_clone]

Directly impinging the enterprise-approved security tooling is really not a good idea, no matter your own personal opinions on their functionality.

Unless maybe you just want to develop a more personal relationship with your internal cybersecurity team, who knows.

[jacquesm]

Or with the HR team and the corporate security guys assisting your departure from the building holding a small cardboard box.

[tgv]

Things are not so rigid here. Idk how you could work in the environment you and the parent comment describe.

[jacquesm]

I'm not. But I know plenty of people who do.

[coppsilgold]

I would assume any machine not owned by me is fully compromised and there is no recovery possible. And treat it accordingly, such as using it just for the purpose the owner of the machine dictates assuming I value that relationship.

The startup script you blocked could have just been a decoy. And set off a red flag.

A lot of these EDR's operate in kernel space.