Manage Plugins

The Linux Endpoint Detection and Response (EDR) sensor is composed of the core daemon (cfsvcd) and plugins. The daemon is responsible for core capabilities, whereas plugins provide specific, targeted capabilities.

Plugins are obtained dynamically from Red Canary’s Cloud, once the sensor has been installed and the daemon is running successfully. The daemon utilizes the plugins as needed.

Supported versions

Red Canary supports plugins v 1.2.0. and higher, which include the following:

• Process Memory Integrity (PMI)

• Behavioral Rootkit Detection

• Response Actions

Disable plugins globally

1. From your Red Canary homepage, click Integrations.

   

2. From the menu select Canary Forwarder (Linux EDR). 

   

3. A new window opens, displaying enabled and disabled plugins. Click to disable the desired plugins.

   

Turn off a specific plugin

1. From the navigation menu click Endpoints, and select the endpoint you want to change.

2. Click Disabled for each plugin you wish to turn off.

Endpoint management

1. To override Global Plugin Settings, or to enable/disable a plugin for an individual endpoint, click on Endpoints from the navigation menu, and then click on a specific endpoint’s page.

   

2. Navigate to the plugins section. Select the option needed for the plugin.

   

Note: It is not possible to disable plugin updates at this time.