Comodo Help
Find the desired product help
Xcitium EDR

Xcitium EDR

Comodo EDR Admin Guide

English

Print Help Download Help
Manage EDR Policies
  • Introduction To Comodo EDR
    • Purchase Licenses
    • Login To The Admin Console
  • The Admin Console
  • The Dashboard
  • MSP Dashboard
  • Add Endpoints To EDR
  • View Enrolled Endpoints
  • Manage EDR Policies
  • View Event Details On Endpoints
  • Alerts
  • Investigation
    • Event Search
    • Computer Search
    • Hash Search
    • Process Timeline
  • Appendix 1 - Default Comodo Security Policy Details
  • About Comodo Security Solutions

Manage EDR Policies


  • An EDR policy determines which events will generate an alert for you.
  • There are 7 event categories. You can define specific rules within each category.
  • Xcitium EDR ships with a default security policy that is applied to all enrolled endpoints.
  • You can also create custom policies according to your requirements.
  • Only one policy can be active at a time. You cannot delete the active policy.

Note. EDR policies do not determine which events are logged, they determine which events you receive alerts for. cWatch automatically logs all events and submits suspicious files to Valkyrie for analysis, regardless of EDR policy. This means cWatch will always catch zero-day malware, even if you prefer to disable some alerts in a policy.


You can search raw logs in the 'Investigation' screen.

  • Click 'Policy Management' on the left to manage EDR security policies:




  • The screen shows general information about policies and lists the default 'Comodo Recommended Security Policy'.
  • A check-mark beside a policy indicates it is currently active.

From this interface you can:

  • Create a new policy
  • View and edit the default Comodo security policy
  • Activate a policy
  • Delete a policy

 

Create a new policy

  • Click 'Policy Management' on the left
  • Click 'Create Policy':



  • Create a name for the policy and press enter:



  • Now, click on the policy name to view and edit its current details:



  • The new policy is automatically assigned a set of default rules.
  • You can add new rules, edit or delete rules as required.




The policy interface has two tabs – 'Company Rules' and 'Endpoint Rules'.

  • Company Rules – Create rules by event category. Company rules are applied to all protected endpoints. See 'Company Rules' for more information.
  • Endpoint Rules – Create additional conditions for each event category and apply to specific endpoints. See 'Endpoint Rules' for more details.


Company Rules


There are seven event categories in the company rules section.


Each category has conditions or rules that can be implemented in your policy. You can create new conditions and edit or delete a condition from an category.


The built-in event categories are:

  • Process Events –Rules to alert you when processes are invoked by an application
  • Registry Events - Rules to alert you about changes to the Windows registry on your endpoints.
  • File Events - Rules to alert you about modifications to system files.
  • Download Events - Rules to alert you when files are downloaded via browsers, emails, shared folders or external drives.
  • Upload Events - Rules to alert you when files are transferred to shared folders or external drives.
  • Defense+ Events - Rules to alert you when processes attempt to access critical operating system functions or launch attacks.
  • Network Events - Rules to alert you about any service listening to ports and network connections on your endpoints.

To create a new condition

  • Click 'Add New' lat the top of an event category:




The 'Add Condition' dialog will open:



  • 'Event Type'– choose the type of incident that you want EDR to detect. The event types available depend on the event category chosen.
  • In the example above, the category is 'Registry Events', so the available event types are 'Delete Registry Key', 'Delete Registry Value' and 'Set Registry Value'.
  • After choosing a type, you must next construct your condition. You do this by choosing the specific criteria which should be monitored. Again, the criteria vary by event category and event type.
  • In the example above we will chose 'Registry Events' > 'Set Registry Value'. The available criteria for 'Set Registry Value' let you specify which key names, values or paths should be monitored.



  • Event Name – Create a label for your condition. This label will be shown as 'Alert Name' in the 'Alerts' interface.
  • Score – Rate the event according to how seriously you judge the incident. Scores range from 0 to 10.
  • Scores 0 to 5 – Low risk events
  • Scores 6 to 10 – High risk events

The next step is configure the parameters and conditions for the rule.

  • Click the arrow below 'AND/OR'



The parameters depend on the selected category and event type.

  • Choose the parameter you wish to monitor
  • In the second box select the condition. The conditions list varies for different parameters.
  • In the third box, enter or select the value. You have to enter the value or select depending on the parameter.



  • Click 'Delete' to remove the rule
  • Click 'Save' if the rule satisfies your requirement
  • To add multiple rules, click 'Add rule'
  • Define parameters and condition as explained above.



  • Use 'AND' or 'OR' operators for the rule per your requirement

You can add multiple rules and define their relationship with 'AND', 'OR' operators.

  • To add a group, click 'Add group'
  • Define parameters and conditions as explained above.



  • Use 'AND' or 'OR' operators for groups (and within a group for rules) per your requirements.
  • Click 'Save' when done.
  • An alert will be created if the rule condition(s) are met.
  • To edit a rule, click the pencil icon beside it and update as required. The process is same as explained above.
  • To remove a rule, click the delete icon beside it.



  • Click 'Yes, delete it!' to confirm removal.


Endpoint Rules

  • Click 'Policy Management' on the left then the 'Endpoint Rules' tab



  • Select the endpoint from the drop-down



  • All the event rules under 'Company Rules' will be applicable for the endpoint and shown as 'Company Policy', which cannot be edited or removed from here.



  • Add new rules under event categories that will be applicable for the selected endpoint only
  • Click 'Add New' link and follow the same process as explained under 'Company Rules'



  • The added rule can be edited or removed from the event category.
  • To edit a rule, click the pencil icon beside it and update as required. The process is same as explained above.
  • To remove a rule, click the delete icon beside it.



  • Click 'Yes, delete it!' to confirm removal.


View and edit the default Comodo security policy

  • Comodo EDR ships with a default security policy that is automatically applied to enrolled endpoints.

  • Click 'Policy Management' on the left, then 'Comodo Recommended Security Policy'



The policy interface is similar to the 'Create a new policy' interface. See 'Company Rules' and 'Endpoint Rules' under 'Create a new policy' section.


Activate a policy

  • You can add as many security policies as required but any one only can be active at a time.
  • The active policy has a green check mark next to it.
  • Click 'Policy Management' on the left then the security policy that you want to active.



  • Click 'Activate' at the top



  • Click 'Yes, activate' to confirm




The policy will be activated and its rules will be applied to the enrolled endpoints.

Delete a policy

  • You cannot delete an active policy
  • Click 'Policy Management' on the left then the security policy that you want to delete




  • Click 'Delete' at the top




  • Click 'Yes, delete it!' to confirm



A confirmation dialog will be shown:



  • Click 'OK' to close the dialog.
Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Ransomware Prevention
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2024. All rights reserved.