EDR: What Known Modloads are Filtered when the Feature is Enabled?
Article ID: 285238
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
What 'known modloads' are filtered when the feature is enabled to improve performance and retention?
Environment
- EDR: All Primary Servers
- EDR: Sensors
- Mac: All supported versions
- Windows: All supported versions
Resolution
a) For Mac, the dyld_cache entries under /var/db/dyld.
b) For Windows, the known modloads filtered are listed in the registry:
b) For Windows, the known modloads filtered are listed in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Additional Information
- Filtering known modloads can be enabled under Sensor Group Settings > Advanced.
- Modloads from the KnownDLLs(Windows) and DYLD_Cache(macOS) will no longer be collected once enabled.
- Enabling the known modloads filter should align with the company security policies.
- Enabling the known modloads should reduce the overall size of future process docs and increase retention.
- All other events are still collected, this setting should have marginal impact on the ability to perform detection.
Feedback
Yes
No
Powered by
