When I look at fields in the endpoint* datasets, the fields file.hash.* are not populated. I see process.hash.* on events in the dataset endpoint.events.process, but no file hashes for file write / modify events.
This is a super common feature of any EDR that I know, so I was wondering if this could be a misconfiguration or bug, or if Elastic Endpoint simply can't report file hashes of files that were interacted with on the endpoint.
I don't know how to export my endpoint policy via API, but here are some details.
Elastic Agent Version: 8.14.1
Protected Endpoint OS: Windows Server 2019, Windows 10, Ubuntu Linux
For performance reasons, Endpoint does not populate hashes for file events. Hash computation is a very I/O- and CPU- intensive action. Reading and hashing every every file modified on the system can significantly impact system responsiveness. This becomes especially noticeable when the system is performing heavy I/O, which is usually correlated with file event generation.
Sure thing. I filed a feature request in our public Endpoint repo. Please feel free to comment on it. I can't guarantee that our engineering/product teams will prioritize it, but at least you can follow the issue to track progress.
Although I am wondering - if Elastic Agent doesn't ever compute the hashes of files, how can it enforce Blocklist entries? Do these only apply to executed files? This would mean that I couldn't effectively block the hash of a malicious .js-File, since the executed file in this case would be wscript.exe, not the .js-File.
Do you maybe have some insight why other solutions routinely have file hashes available? Do they use an entirely different architecture, or do they just accept the performance impact without giving the customer a choice about it?
That's correct. The blocklist is an extension of malware protection, which protects against malicious executables. On Windows, this means PE files.
Per our policy docs:
The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that Elastic Defend considers malicious.
The feature is actually a bit broader than that. Malware protection also protects against other PE files such as DLLs and driver (SYS) files.
Thank you. We'll take that into account when discussing this feature. It's important to understand that regardless of whether MDE spends CPU and I/O to hash files, adding them to Endpoint will dramatically increase its CPU and I/O usage in common heavy-system-load scenarios such as directory copies and compilation. Every file created must be re-read into memory then hashed, effectively doubling I/O and spiking CPU right when the system needs those resources. That means the user's foreground activity can be adversely affected, leading to upset [and potentially lost] customers. Making the feature opt-in can avoid these problems for most users, while providing the functionality for users who want it, which is why I'm requesting that approach.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.