FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
dmeeker
Staff
Staff
Description This article describes what features application mode offers on Linux collectors, as well as its limitations.
Scope Linux Collector 4.5.x., 5.1.1
Solution

Linux Collector 4.5.1 has two modes of operation:

- kernel

- application-only

 

When the Collector starts, it reads the Linux kernel on the machine. If the Linux kernel is supported, the Collector enters into a full kernel mode of operation (kernel).

Otherwise, instead of going into a degraded state, the Collector runs as a Linux application with limited functionality (application-only).

 

The following is a summary of existing Linux Collector versions and their operation modes:

 

Collector version

App/Kernel

Supported OS

v5.1.1

 

Adaptive

All Supported Distributions

v4.5.1

Application/Kernel

CentOS 6, 7, 8, Ubuntu 16.04, 18.04, 20.04

v4.5.0.145+

Application

OpenSUSE, Amazon AMI2, SLES v12, SLES v15, Oracle 8.2+, Oracle 7.7+

v4.5.0.139

Application

OpenSUSE, Amazon AMI2, SLES v15

v4.5.0.137

Application

Oracle 8.2+, Oracle 7.7+

v4.1 and lower

Kernel

CentOS 6, 7, 8, Ubuntu 16.04, 18.04, 20.04

 

Linux Application features summary:

 

Main supported functions of the Linux Collector application mode:

 

- Pre-execution Prevention.

- Communication Control visibility.

- Installation, revision upgrades, uninstallation.

- Analysis: File retrieval.

- IR: File remediation.

 

Known limitations of the Linux Collector application mode:

 

1) Communication Control blocks are not possible.

2) IR: Device isolation with Collector is not possible.

3) Limited Forensics visibility is available.

4) Threat-hunting is not possible.

5) Upgrades from Collector v3.1 or 4.1 to v4.5 are not possible. v4.5 is application only.

6) Hardening of the Collector files is not possible.

7) The Request Custom installers feature in the Manager Console is not available.

 

v5.1.1 What's Included:

- This collector version can run on any supported Linux distributions: CentOS/RHEL, Ubuntu, Oracle, AMI, and SLES.

- Threat hunting data collection is available in user space mode.
- FortiEDR Linux kernel modules are signed.

 

 

Contributors