The Linux Endpoint Detection and Response (EDR) sensor is composed of the core daemon (cfsvcd) and plugins. The daemon is responsible for core capabilities, whereas plugins provide specific, targeted capabilities.

Plugins are obtained dynamically from Red Canary’s Cloud, once the sensor has been installed and the daemon is running successfully. The daemon utilizes the plugins as needed.

Supported versions

Red Canary supports plugins v 1.2.0. and higher, which include the following:

• Process Memory Integrity (PMI)
• Behavioral Rootkit Detection
• Response Actions

Disable plugins globally

1. From the navigation menu, click Integrations. 
   
   
2. From your integrations list, click Canary Forwarder (Linux EDR). 
   
   
3. A new window opens, displaying enabled and disabled plugins. Click to disable the desired plugins.
   
   

Endpoint management

1. To override Global Plugin Settings, or to enable/disable a plugin for an individual endpoint, click on Endpoints from the navigation menu, and then click on a specific endpoint’s page.
   
   
2. Navigate to the plugins section. Select the option needed for the plugin.
   
   

Note: It is not possible to disable plugin updates at this time.