<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">On May 14, 2015 at 9:28:43 AM, Anton Chuvakin (<a href="mailto:anton@chuvakin.org">anton@chuvakin.org</a>) wrote:</div> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>
<title></title>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Mon, May 11, 2015 at 12:20 PM, Dave
Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><br>
And I don't know any modern HIDS company willing to offer a
solution that they would claim is resilient against an attacker who
already has access to the platform and can prepare
counter-measures. This is, as the NSA might put it, a "somewhat
challenging problem to attack".<span><font color="#888888"><br>
<br></font></span></div>
</blockquote>
<div><br></div>
<div>You know, this question bugged me all the time while I was
researching what we now call "the EDR space." How can those agents
co-exist with "advanced" attacker on the same endpoint and still
deliver useful telemetry? It turned out that SOME of the
vendors have in fact thought about it long and hard, and the list
of tricks they use to keep reporting from the owned endpoint is
long indeed. On the other hand, sad hilarity ensues when some
formerly IT ops focused endpoint agents are repurposed for "APT
IR"....<br></div>
<div><br></div></div></div></div></div></div></span></blockquote>Exactly - one of the big EDR vendors told me their product was a “rootkit” at RSA 2014.<div><br></div></body></html>