The Linux EDR sensor is composed of the core daemon (cfsvcd) and plugins. The daemon is responsible for core capabilities, whereas plugins provide specific, targeted capabilities.
Plugins are obtained dynamically from Red Canary’s Cloud, once the sensor has been installed and the daemon is running successfully. The daemon utilizes the plugins as needed.
Plugins can be enabled or disabled globally by visiting the Endpoints page, under Global Settings.
To override Global Plugin Settings, or to enable/disable a Plugin for an individual endpoint, visit a specific endpoint’s page.
Plugins are supported starting from v.1.2.0 and higher. The currently available plugins are:
- Process Memory Integrity (PMI)
- Behavioral Rootkit Detection