EDR traces in Monitoring, show proxy information instead of the DNS address that process tried to reach
Last Modified: 2022-09-29 12:39:10 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
EDR traces in Monitoring, show proxy information instead of the DNS address that process tried to reach
Technical Articles ID:
KB96024
Last Modified: 2022-09-29 12:39:10 Etc/GMT Environment
MVISION EDR
Summary
EDR traffic shows that the traffic closes at the proxy instead of showing the actual destination.
Problem
When you open EDR Monitoring and select a process, the process timeline shows that Network activity reaches the Proxy level instead of the expected DNS address. Open Device Search and select any device process. You see the final network connection as the Proxy address instead of the DNS address. Solution
This operation is as designed. EDR sits on the endpoint, and inspects the IP packets that originate from the host. As the endpoint communicates through a proxy, DNS requests aren't made on the endpoint but rather behind the proxy. EDR doesn't have a way to determine the final IP address. When direct communication is allowed and a DNS request is made, EDR can detect the communication and shows it in Monitoring. To request a change in how EDR operates, follow the Product Enhancement Request process: To submit a new product idea, go to the Enterprise Customer Product Ideas page.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website. For more information about product ideas, see KB60021 - How to submit a Product Idea. Affected ProductsLanguages:This article is available in the following languages: |
|