Protection Mode for Linux Modules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Protection Mode for Linux Modules

L3 Networker

When configuring Reverse Shell Protection and Malicious Child Process Protection there's an option to configure the protection mode. Default is "normal" but we could choose "aggressive" too.

There's no documentation.

 

Does anyone know the difference of protection modes for these Linux modules?

Is it the same as in the ransomware protection module for Windows?

 

micomi_0-1782802979178.png

 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hello  @micomi ,

 

Greetings for the day.

 

The configuration of "Normal" and "Aggressive" protection modes for Reverse Shell Protection and Malicious Child Process Protection (C01) on Linux follows the general Cortex XDR logic of balancing detection sensitivity against system stability, though the specific technical implementation differs significantly from the Windows Anti-Ransomware module.

Comparison to Windows Ransomware Protection:

While the labels "Normal" and "Aggressive" are identical to those found in the Windows Ransomware Protection module, the underlying mechanism is not the same.

  • Windows Ransomware Protection: Uses a deception mechanism involving decoy files (honeypots). Aggressive mode increases sensitivity by exposing more applications and folders to these decoy files.
  • Linux Protection Modules: The Linux Reverse Shell and Malicious Child Process modules do not utilize decoy files or honeypots. Instead, they rely on behavioral rules, real-time process monitoring, and kernel-level interception.

Technical Differences in Protection Modes:

In the absence of specific Linux-module documentation, the operational differences are inferred from the general behavior of these settings within the platform:

  • Normal Mode (Default): This mode is optimized for production stability and minimizing false positives. It uses baseline behavioral thresholds and rule sets designed to minimize interference with legitimate applications.
  • Aggressive Mode: This mode increases the security posture by enabling more sensitive detection parameters. While it provides broader coverage against evasive threats, it also carries a higher risk of false positives and may have a greater impact on user experience.

The specific rule thresholds or sensitivity adjustments that differentiate Normal from Aggressive mode for these Linux-specific modules are not publicly documented.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

 

View solution in original post

1 REPLY 1

L5 Sessionator

Hello  @micomi ,

 

Greetings for the day.

 

The configuration of "Normal" and "Aggressive" protection modes for Reverse Shell Protection and Malicious Child Process Protection (C01) on Linux follows the general Cortex XDR logic of balancing detection sensitivity against system stability, though the specific technical implementation differs significantly from the Windows Anti-Ransomware module.

Comparison to Windows Ransomware Protection:

While the labels "Normal" and "Aggressive" are identical to those found in the Windows Ransomware Protection module, the underlying mechanism is not the same.

  • Windows Ransomware Protection: Uses a deception mechanism involving decoy files (honeypots). Aggressive mode increases sensitivity by exposing more applications and folders to these decoy files.
  • Linux Protection Modules: The Linux Reverse Shell and Malicious Child Process modules do not utilize decoy files or honeypots. Instead, they rely on behavioral rules, real-time process monitoring, and kernel-level interception.

Technical Differences in Protection Modes:

In the absence of specific Linux-module documentation, the operational differences are inferred from the general behavior of these settings within the platform:

  • Normal Mode (Default): This mode is optimized for production stability and minimizing false positives. It uses baseline behavioral thresholds and rule sets designed to minimize interference with legitimate applications.
  • Aggressive Mode: This mode increases the security posture by enabling more sensitive detection parameters. While it provides broader coverage against evasive threats, it also carries a higher risk of false positives and may have a greater impact on user experience.

The specific rule thresholds or sensitivity adjustments that differentiate Normal from Aggressive mode for these Linux-specific modules are not publicly documented.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

 
  • 1 accepted solution
  • 128 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!