This topic provides details on how each Host Sensor functions. Each Host Sensor collects forensic data from the host and sends it to the Threat Detection and Response cloud for analysis. Forensic data includes information related to files, processes, network connections, and registry keys on the host.
You can configure Host Sensors to simply report security threats or to take action to fix certain types of security threats based on the Host Sensor settings.
On the Host Sensor settings page, users with an Administrator or Analyst role can configure the default Host Sensor settings for all Host Sensors in a TDR account.
One Host Sensor setting that is not on the Host Sensor Settings page is the Age Off For Quarantined Files setting. Analysts can configure this setting in the Host Sensors configuration page. For more information, go to Configure the Age Off For Quarantined Files.
For deployment best practices, go to TDR Deployment Best Practices.
Host Sensor Settings
Enable this setting to send events when:
- Files are created and deleted
- Processes are created and deleted
- Registry creations, modifications, and deletions occur
If you disable this setting, Threat Detection and Response might not be able to identify some malware in real time.
If Allow Events on Host Sensors is turned off, the Host Ransomware Prevention Mode on Host Sensors will be set to OFF, since it cannot function without events.
This drop-down list controls the Host Ransomware Prevention feature. The options are:
- Off - Turn the feature off.
- Detect - Identify processes and files that exhibit malicious behavior and report them to the user interface for manual intervention. This setting can still leave the machine vulnerable to these threats, since it may be too late to manually intervene
- Prevent - Host Sensors detect, and then automatically kill processes and quarantine files that exhibit malicious behavior so that ransomware does not take over the system. Host Sensors report this to your Threat Detection and Response account as an indicator that is already mitigated (score of 1). If you select Prevent, the Host Sensor takes automatic action to prevent ransomware even if the host is not connected to the Internet or cannot communicate with your TDR account.
If Allow Events on Host Sensors is turned off, the Host Ransomware Prevention Mode on Host Sensors will be set to OFF, since it cannot function without events.
Enable machine learning to control whether the Host Sensor kills processes and quarantines files that exhibit malicious behavior based on machine learning.
If you disable this setting, the Host Sensor does not take actions based on HRP machine learning, but HRP detection and prevention is still active, if it is enabled.
Enable the Host Sensors to scan files and processes to determine the heuristics for those files and processes.
If you disable this setting, Threat Detection and Response might not be able to identify some files and processes that exhibit the characteristics of malware.
Disable this setting to improve the performance of the Host Sensor if your system performance is slow. Turn off this setting first when troubleshooting.
Enable this setting to allow Host Sensors to perform baselines (process, directory, registry, and netstat) when they first come up.
If you disable this off, it could prevent Threat Detection and Response from flagging some files and processes that exhibit the characteristics of malware.
This setting enables the HTTP(S) Proxy APT Zero-Day Mitigation feature and the Process + Network Indicator. When this is enabled, Host Sensors will cache File Event Metadata for up to 20 minutes. This allows time for APT Blocker to analyze suspicious files and respond or for the Host Sensor to find a process reported by the network. If action needs to be taken to remediate afile, the Host Sensor data provides the location of the file, even if it has been moved or copied within that timeframe.
This feature is only compatible with Fireware v12.1.3 Update 2 for XTMv or Fireware v12.4 and higher for Firebox M Series and T Series models.
Host Sensor Tamper Prevention Settings
Disable this setting to allow users with appropriate permissions to stop the Host Sensor service.
Disable this setting to allow users with appropriate permissions to uninstall the Host Sensor.
Host Sensor Driver Configuration Settings
The Kernel space is the area of virtual memory that runs the operating system and is separate from the area of virtual memory that runs processes used by user programs.
Enable this setting to use kernel space functionality to watch for process events on the Host Sensor.
If you disable this setting, user space code will be used.
Enable this setting to use kernel space functionality to watch for file events on the Host Sensor.
If you disable this setting, user space code will be used.
Enable this setting to use kernel space functionality to watch for registry events on the Host Sensor.
If you disable this setting, user space code will be used.
Enable this setting to use kernel space functionality to execute kill process actions (both manual and automated) from the Threat Detection and Response system.
If you disable this setting, user space code will be used.
Enable this setting to use kernel space functionality to execute delete file actions (both manual and automated) from the Threat Detection andResponse system.
If you disable this setting, user space code will be used.
Enable this setting to use host containment functionality (both manual and automated) from the Threat Detection and Response system.
If you disable this setting, no host containment will be allowed, since this functionality is only available within kernel driver code.
Enable this setting to use kernel space functionality to enumerate file handles that are associated with files that Threat Detection and Response is attempting to quarantine or un-quarantine (both manual and automated).
If you disable this setting, user space code will be used.
Enable this setting to use kernel space functionality to scan modules that are associated with processes.
If you disable this setting, user space code will be used.
Host Sensor Icon Settings
Enable this setting to allow end-users to temporarily pause Host Sensor protection from the Host Sensor Icon. When protection is paused, the Host Sensor does not scan files, processes, or registry entries, and does not send events to the cloud. This also temporarily disables Host Ransomware Prevention.
Enable this setting to notify users when the Host Sensor runs a baseline on their device.
Enable this setting to notify users when the Host Sensor takes remediation actions, such as Quarantine File, Kill Process, and Delete Registry Key, on their device.
Specify in minutes the minimum amount of time Host Sensors should delay before they start to run baselines (process, directory, registry, and netstat). The actual delay is randomly determined as a value between the minimum delay and the maximum delay.
A value of 0 means that no delay occurs.
Default: 0
Min: 0
Max: 240
Specify in minutes the maximum amount of time Host Sensors should delay before they start to run baselines (process, directory, registry, and netstat). The actual delay is randomly determined as a value between the minimum delay and the maximum delay.
A value of 0 means that no delay occurs.
Default: 60
Min: 0
Max: 240
Specify the frequency to run baselines. You can specify baseline to run every day or up to every 30 days. The default is 7 days.
Create an authentication key that is used between the Host Sensor and Firebox to confirm the VPN is secure enough to stay connected. To generate the authentication key, type an alphanumeric phrase or password between 10 and 79 characters. Click the generate icon to convert the passphrase to a 36-character UUID.
Manage TDR Hosts and Host Sensors