Endpoint Detection and Response (EDR) is an integrated endpoint security solution that uses telemetry data to detect, analyze, and remediate cyber threats. Powered by Malwarebytes ThreatDown, EDR stops attacks against workstations and servers with security that catches what other solutions miss.
This article applies to all Endpoint Detection and Response Customers.
What is Endpoint Detection and Response?
Endpoint Detection and Response (EDR) encompasses cybersecurity tools designed to continuously monitor and address threats targeting endpoint devices in real-time. These endpoints include any network-connected devices, such as computers, servers, mobile devices, and IoT gadgets. EDR solutions are critical in detecting, analyzing, and neutralizing malicious activities on these devices.
Core Functionalities
EDR utilizes multiple solutions to provide a complete package for the security of your endpoints and servers. This includes:
- Continuous Monitoring: Constant data collection from endpoints. This includes file activity, network connections, process executions, and system registry changes.
- Analytics: Using AI and machine learning, EDR analyzes collected data to identify anomalies that may indicate malicious activity.
- Threat Detection: Identification of potential threats, including zero-day vulnerabilities.
- Automated Response: EDR can automatically respond to discovered threats, including quarantining files and isolating infected devices.
What is the difference between Endpoint Detection and Response (EDR) and Endpoint Protection (EPP) services?
EDR and EPP differ in how they approach securing devices. EDR is a solution designed to detect, investigate, and respond to advanced threats in real-time. It provides comprehensive visibility into endpoint activities, enabling security teams to analyze the scope and nature of an attack. By leveraging behavioral analysis and machine learning techniques, EDR can identify known threats, zero-day vulnerabilities, fileless attacks, and other advanced threats. It also offers tools for incident response, such as isolating infected devices or rolling back malicious changes.
In contrast, signature-based endpoint protection relies on predefined threat signatures to detect and block malicious activities. It compares files or processes to a database of known malware patterns. While effective at preventing known threats, this method may be lacking in evolving malware with no corresponding signature. Its primary focus is prevention rather than investigation or post-attack response.
How to access Endpoint Protection and Response
EDR can be accessed in TeamViewer Remote or via the web app on the Remote Management tab, under the Endpoint Protection section.
How to view a specific device's protection status
The recommended method to access a specific device's status is through the device drawer. This is done by clicking the device name on the Device tab of TeamViewer Remote or within the device list.
The drawer will open on the right; select the tab with a shield and checkmark to access the EDR information for the device. The EDR device drawer provides the basic information for the device; this includes:
- Policy applied
- Malwarebytes device name and group
- Detections
- Suspicious activity
EDR is broken down into the following sections:
- Devices
- Detections
- Quarantine
- Suspicious Activity
- Reporting
Please select the appropriate tab below for more information on each section:
- Devices
- Detections
- Quarantine
- Suspicious Activity
- Reporting
Devices
A list of all devices is provided on the devices tab, as well as the following information:
- Nebula Name
- Group
- Device Status
- Status
- Last Scan date
- Last Seen date
Any device requiring attention will show Need attention as the device status.
Detections
The Detections tab provides an overview of all threats detected on your endpoints. All files in the Detections tab have been identified, analyzed, and responded to in real-time, minimizing potential damage.
In the event of a false positive, you can automatically create an exclusion by selecting the threat and clicking +Create Exclusion.
The following information is provided about each threat:
- Status
- Category
- Threat
- Device and Device group
- Scan date
Clicking on the threat status brings up the threat drawer, which provides more insight into the detection. This includes:
- Executable/File detected
- Path
- Filetype
- Action Taken
- Threat Category
- Device Group
- Scanned at/Reported at timestamps
Files that have been quarantined can be restored or deleted via the threat drawer as well.
Quarantine
Quarantined files are detections that match a certain signature or other potential threat detail but may be false positives. If a potential threat is quarantined, this tab will allow you to restore or delete the file.
Suspicious Activity
Suspicious Activity watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint. Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs.
Please note that not all detected activity is guaranteed to be malicious; benign system operations can also trigger some detections.
How to export reports
Endpoint Detection and Response provides a multitude of reports that provide the information you need when you need it. To create a report, navigate to the reporting tab of Endpoint Protection and select +Create report in the upper left corner.
Create a name for the report, and select the type of report required. Next, input the desired time zone and click Continue.
If you want the report to be created automatically, enter the desired schedule (monthly, daily, or weekly). You can also set it to on-demand only to run when needed.
Set the desired reporting period - the dates to be included in the report. You can set a pre-defined period for each report or manually enter the periods each time you run the requested report.
In the final step, add the recipients to receive the report. Click Create to finalize and run the initial report.
Generate and send report
Regardless of whether on-demand or scheduled report, you can run any report on-demand by selecting the desired report and clicking ↻ Generate and Send the report.
