Free Linux Endpoint Protection - Sandfly 08-18-2023, 07:29 PM
#1
If you run Linux systems, I highly recommend looking into Sandfly Security for Endpoint Detection and Response (EDR) to protect them. For those unfamiliar with EDR, you can think of it like more advanced antivirus that is better at detecting compromise through anomalous behavior, and usually gives you more fine-grained control about what to do about a detection.
Sandfly is free for most homelab/personal use-cases, and is self-hosted. All you need is at least one server and some basic Linux and Docker administration skills.
What I particularly like about Sandfly is that it's designed from the ground-up for the way Linux does things, and hence how attackers will usually try to evade detection and gain persistence on Linux. Most of the Windows EDR/AVs, aside from signature-based file scanning, focus heavily on process and in-memory artifact monitoring. This makes sense, as anyone familiar with attacking modern Windows can attest. But of course on Linux, a lot more is done via files, or at least pseudo-files (think about monitoring /proc for example). Unfortunately, even for EDRs/AVs with Linux versions, the Windows "model" is often mindlessly ported.
If the Windows approach is something like 80/20 process/memory vs. file monitoring, Sandfly is more like 50/50, which is much more appropriate to how Linux does things and how it's usually attacked.
Sandfly is free for most homelab/personal use-cases, and is self-hosted. All you need is at least one server and some basic Linux and Docker administration skills.
What I particularly like about Sandfly is that it's designed from the ground-up for the way Linux does things, and hence how attackers will usually try to evade detection and gain persistence on Linux. Most of the Windows EDR/AVs, aside from signature-based file scanning, focus heavily on process and in-memory artifact monitoring. This makes sense, as anyone familiar with attacking modern Windows can attest. But of course on Linux, a lot more is done via files, or at least pseudo-files (think about monitoring /proc for example). Unfortunately, even for EDRs/AVs with Linux versions, the Windows "model" is often mindlessly ported.
If the Windows approach is something like 80/20 process/memory vs. file monitoring, Sandfly is more like 50/50, which is much more appropriate to how Linux does things and how it's usually attacked.
(This post was last modified: 08-18-2023, 07:30 PM by lisitsya.
Edit Reason: codeblock rather than inline code not intended
)
There was no one absent save Reynard the Fox, against whom many grievous accusations were laid
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)