Elastic EDR Problem

Aliya_Khalel · December 10, 2024, 11:07am

We using Fleet-managed Elastic Agent.
All agents has policies have Elastic Defend integration.
We are using Enteprise License.

Can EDR decrease speed of downloading files from Whatsapp?
Why I don't see Malware Prevention Alert in Detection Rules?

image777×484 78 KB

gabriel.landau · December 12, 2024, 6:03pm

Hi @Aliya_Khalel,

Depending on how WhatsApp behaves at an API level, it's possible the "Scan files upon modification" feature may be firing more than necessary. For example, if WhatsApp is repeatedly reopening the file each time it needs append a newly-downloaded chunk of the file, this could trigger Defend's malware protection to repeatedly scan the file. On which OS are you encountering this?

Two possible causes come to mind:

Make sure the Endpoint Security SIEM rule is enabled in /app/security/rules/management.

image1645×480 67.8 KB
Your stack has Rule Exceptions for Endpoint alerts. See this explanation: Elastic Security Rule Exceptions vs Endpoint Exceptions - #2 by ferullo

Topic		Replies	Views
Issues with Elastic Agent and Defender? Endpoint Security	7	5134	May 11, 2021
[Solved problem] Endpoint security can not detect malware Endpoint Security elastic-stack-security	4	233	June 11, 2024
Elastic-endpoint installed although defend integration is not applied to policy Endpoint Security	5	408	March 7, 2024
Endgame not detecting malware Endpoint Security	8	1730	December 21, 2021
Elastic Endpoint (Defend) does not seem to report file hashes for writes or modifications Endpoint Security elastic-stack-security	8	104	October 1, 2024

Elastic EDR Problem

Related topics