Wait for minidump exfiltration before re-enabling the EDR's capabilities #28
Labels
enhancement
New feature or request
good first issue
Good for newcomers
help wanted
Extra attention is needed
Comments
themaks
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, the Minifilter unhooking allow file operations to be carried on without being worried by the EDR. This means that after process dumping, the minidump file write on disk will not trigger EDR's analysis.
However, after the file is written, the default behavior of EDRSanblast is to revert all changes that impaired the EDR before existing; thus, when trying to access the minidump file afterward (for extraction on an unmonitored machine, or for deletion), EDR's code might be triggered and the file analyzed, potentially triggering an alert.
It could be very useful to implement a CLI option (
--wait-for-dump-exfiltration?) that changes the behavior of EDRSandblast so that after writing minidump file, the execution of EDRSandblast is paused until the file has "disappeared" (copied and removed by another method), then the execution resumes and EDR's hooks are restored.The text was updated successfully, but these errors were encountered: