comodosecurity / openedr Goto Github PK
View Code? Open in Web Editor NEWOpen EDR public repository
License: Other
Open EDR public repository
License: Other
Hi everybody. I'm new and started learning about OpenEDR but when I read the documentation to deploy on my local machine I couldn't understand it. So can anyone guide me step by step to build OpenEDR on self-host? Sincerely thank.
I wonder if OpenEDR can replace anti-virus software like trendmicro officescan. If so, then there must be some signature-based or other form of virus rule updates every day or week. Then how do I know if it is reliable to detect viruses and threats?
I encountered this error when I went to log in. And yes, I don't have any cookie blocker enabled on the domain.
Maintainers - @ozercomodo
edrav2/eprj/curl/lib/escape.c
char *curl_easy_escape(struct Curl_easy *data, const char *string,
int inlength)
{
....
alloc = (inlength?(size_t)inlength:strlen(string)) + 1;
newlen = alloc;
//malloc the ns memery
ns = malloc(alloc);
if(!ns)
return NULL;
//malloc ok
length = alloc-1;
while(length--) {
unsigned char in = string; / we need to treat the characters unsigned */
if(Curl_isunreserved(in))
/* just copy this */
ns[strindex++] = in;
else {
/* encode it */
newlen += 2; /* the size grows with two, since this'll become a %XX */
if(newlen > alloc) {
alloc *= 2;
testing_ptr = Curl_saferealloc(ns, alloc);
if(!testing_ptr)
return NULL;
// Here will cause the memery leak.
.....
}
Add option to search for IoC on endpoints with using Yara rules. These rules could be imported to central console and distributed via console requests to endpoints_
We were silent but working hard to replace MadcHook. As you know This was blocker since MadcHook is a licenced product.
Now we have replaced all but we need extensive testing for compatibility.
We will make our binaries available before pushing it to public repo. Please let us know if you can contribute
Hello,
Only Windows, any linux build? :(
For roadmap items, I created another repository to make it visible to everyone. Please check: https://github.com/ComodoSecurity/openedr_roadmap/projects/1
I cannot uninstall openedr from Add/Remove program , it says no permission
i tried this from command line as system user and it works
msiexec /x OpenEDR-installation-2.0.0.0-x64.msi
edrav2/eprj/curl/lib/vtls/vtls.c:
CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
const char *pinnedpubkey,
const unsigned char *pubkey, size_t pubkeylen)
{
........
/* compute sha256sum of public key */
sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
if(!sha256sumdigest)
return CURLE_OUT_OF_MEMORY;
//sha256sumdigest malloc ok
encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
if(encode != CURLE_OK)
return encode;
**// here maybe memleak**
encode = Curl_base64_encode(data, (char *)sha256sumdigest,
CURL_SHA256_DIGEST_LENGTH, &encoded,
&encodedlen);
Curl_safefree(sha256sumdigest);
if(encode)
return encode;
.....
Dear Sirs,
Please explain how it is possible to contribute to this project?
I ask because it implies it is "open", however it requires the madhookcode library which you have to purchase at http://www.madcodehook.com/madCodeHookDescription.htm
I will try contacting the developer directory.
I want to compile OpenEdr, and I also purchased Netfilter Sdk and MadcHook, but when I was compiling, I found nfapi::cmdedr related classes. May I ask if this class can be open source.
Urgent help wanted to test first release, please also express your environment, test steps and expected result : success or failure
We need to get rid of encryption so the user can change the local file and apply changes.
The local policies should be the same as JSON format we use in paid-EDR
In local mode, it should read local policy changes and then apply it without restarting agent.
I have filebeat picking up the logs from C:\\ProgramData\edrsvc\log\output_events\*.log
and sending them to elasticsearch. However, I cannot parse the logs, as they are multiline json with no newline between (}{
).
If we could make each log take up one line, or at least put a newline between json objects, that should make it possible for filebeat->elasticsearch to parse them.
is this project dead???
Hi,
when i try (as admin or system) to stop edrsvc using sc stop edrsvc, i am getting this
**[SC] ControlService FAILED 1052:
The requested control is not valid for this service.**
Thanks for help
Sirs, good morning.
It is possible to customize the dashboards.
Hi,
can someone share their Filebeat.yml configuration file? I can't seem to configure it right to show the logs that the OpenEDR collects... it only sends the metadata etc...
My filebeat.yml configuration:
**filebeat.inputs:
Maybe something to do with multiline.pattern?
Thanks ahead!
Your README and the press are calling this Open Source software.
But your License.md is the Commons Clause which explicitly says it is not Open Source:
Is this “Open Source”?
No.
“Open source”, has a specific definition that was written years ago and is stewarded by the Open Source Initiative, which approves Open Source licenses. Applying the Commons Clause to an open source project will mean the source code is available, and meets many of the elements of the Open Source Definition, such as free access to source code, freedom to modify, and freedom to re-distribute, but not all of them.
The difference is of course major for anyone who wants to join you in providing OpenEDR as a product.
Please fix your README.
I'm encountering errors while trying to build the openedr project. Despite multiple attempts, I haven't been able to resolve it. I have built all except libcloud and edrsvc.
Since I'm stuck, I've reached out to the maintainer for assistance. Could you please lend a hand in getting this project built successfully?
Feels like I am lost now so please give your helping hand.
@ozercomodo @Cunfuu @ComodoMelih @seroza @yucecengiz @stnert @pbasilcom
Describe the bug
I am trying to build an openEdr project that uses this library in Visual Studio 2019 with C++ Language runtime ISO C++17 Standard (/std:c++17). Once it compiles .pb.cc files, it generates lots of error 400+.
I am done with all the required library in eproj dir and finally, these errors were getting.
Except for libcloud and edrsvc all other projects have been built successfully.
I am getting Errors in the project libcloud and edrsvc only.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The project should be built successfully and generate .dll,.lib, .sys, and .exe files wherever applicable without any errors.
Build started... 1>------ Build started: Project: libcloud, Configuration: Debug x64 ------ 1>annotations.pb.cc 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/status.h(97,15): warning C4251: 'google::protobuf::util::status_internal::Status::error_message_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::util::status_internal::Status' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/logging.h(100,15): warning C4251: 'google::protobuf::internal::LogMessage::message_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::LogMessage' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/coded_stream.h(1282,28): warning C4251: 'google::protobuf::io::CodedOutputStream::default_serialization_deterministic_': struct 'std::atomic<bool>' needs to have dll-interface to be used by clients of class 'google::protobuf::io::CodedOutputStream' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\atomic(2859): message : see declaration of 'std::atomic<bool>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(307,23): warning C4251: 'google::protobuf::internal::SerialArena::space_allocated_': struct 'std::atomic<unsigned __int64>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::SerialArena' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\atomic(2871): message : see declaration of 'std::atomic<unsigned __int64>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(412,29): warning C4251: 'google::protobuf::internal::ThreadSafeArena::alloc_policy_': class 'google::protobuf::internal::TaggedAllocationPolicyPtr' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ThreadSafeArena' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(112): message : see declaration of 'google::protobuf::internal::TaggedAllocationPolicyPtr' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(415,29): warning C4251: 'google::protobuf::internal::ThreadSafeArena::threads_': struct 'std::atomic<google::protobuf::internal::SerialArena *>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ThreadSafeArena' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(415): message : see declaration of 'std::atomic<google::protobuf::internal::SerialArena *>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(416,29): warning C4251: 'google::protobuf::internal::ThreadSafeArena::hint_': struct 'std::atomic<google::protobuf::internal::SerialArena *>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ThreadSafeArena' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(415): message : see declaration of 'std::atomic<google::protobuf::internal::SerialArena *>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(77,43): warning C4251: 'google::protobuf::internal::LazyString::inited_': struct 'std::atomic<const std::string *>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::LazyString' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(77): message : see declaration of 'std::atomic<const std::string *>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(323,26): warning C4251: 'google::protobuf::internal::ArenaStringPtr::tagged_ptr_': class 'google::protobuf::internal::TaggedPtr<std::string>' needs to have dll-interface to be used by clients of struct 'google::protobuf::internal::ArenaStringPtr' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(118): message : see declaration of 'google::protobuf::internal::TaggedPtr<std::string>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/metadata_lite.h(261,15): warning C4251: 'google::protobuf::internal::LiteUnknownFieldSetter::buffer_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::LiteUnknownFieldSetter' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/message_lite.h(445,30): warning C4251: 'google::protobuf::MessageLite::_internal_metadata_': class 'google::protobuf::internal::InternalMetadata' needs to have dll-interface to be used by clients of class 'google::protobuf::MessageLite' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/metadata_lite.h(62): message : see declaration of 'google::protobuf::internal::InternalMetadata' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/implicit_weak_message.h(93,15): warning C4251: 'google::protobuf::internal::ImplicitWeakMessage::data_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ImplicitWeakMessage' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/generated_message_util.h(193,20): warning C4251: 'google::protobuf::internal::CachedSize::size_': struct 'std::atomic<int>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::CachedSize' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\atomic(2866): message : see declaration of 'std::atomic<int>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/mutex.h(136,40): warning C4251: 'google::protobuf::internal::WrappedMutex::mu_': class 'google::protobuf::internal::CallOnceInitializedMutex<std::mutex>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::WrappedMutex' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/mutex.h(136): message : see declaration of 'google::protobuf::internal::CallOnceInitializedMutex<std::mutex>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(1627,25): warning C4251: 'google::protobuf::FileDescriptor::LazyInitData::once': struct 'std::once_flag' needs to have dll-interface to be used by clients of struct 'google::protobuf::FileDescriptor::LazyInitData' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xcall_once.h(21): message : see declaration of 'std::once_flag' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2041,27): warning C4251: 'google::protobuf::DescriptorPool::tables_': class 'std::unique_ptr<google::protobuf::DescriptorPool::Tables,std::default_delete<google::protobuf::DescriptorPool::Tables>>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorPool' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2041): message : see declaration of 'std::unique_ptr<google::protobuf::DescriptorPool::Tables,std::default_delete<google::protobuf::DescriptorPool::Tables>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2051,31): warning C4251: 'google::protobuf::DescriptorPool::unused_import_track_files_': class 'std::map<std::string,bool,std::less<std::string>,std::allocator<std::pair<const std::string,bool>>>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorPool' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2051): message : see declaration of 'std::map<std::string,bool,std::less<std::string>,std::allocator<std::pair<const std::string,bool>>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(243,30): warning C4251: 'google::protobuf::io::CopyingInputStreamAdaptor::buffer_': class 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' needs to have dll-interface to be used by clients of class 'google::protobuf::io::CopyingInputStreamAdaptor' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(243): message : see declaration of 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(334,30): warning C4251: 'google::protobuf::io::CopyingOutputStreamAdaptor::buffer_': class 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' needs to have dll-interface to be used by clients of class 'google::protobuf::io::CopyingOutputStreamAdaptor' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(243): message : see declaration of 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/unknown_field_set.h(206,29): warning C4251: 'google::protobuf::UnknownFieldSet::fields_': class 'std::vector<google::protobuf::UnknownField,std::allocator<google::protobuf::UnknownField>>' needs to have dll-interface to be used by clients of class 'google::protobuf::UnknownFieldSet' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/unknown_field_set.h(206): message : see declaration of 'std::vector<google::protobuf::UnknownField,std::allocator<google::protobuf::UnknownField>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1070,26): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_int32_t_': class 'google::protobuf::RepeatedField<int32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1045): message : see declaration of 'google::protobuf::RepeatedField<int32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1071,26): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_int64_t_': class 'google::protobuf::RepeatedField<int64_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1047): message : see declaration of 'google::protobuf::RepeatedField<int64_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1072,27): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_uint32_t_': class 'google::protobuf::RepeatedField<uint32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1046): message : see declaration of 'google::protobuf::RepeatedField<uint32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1073,27): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_uint64_t_': class 'google::protobuf::RepeatedField<uint64_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1048): message : see declaration of 'google::protobuf::RepeatedField<uint64_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1074,25): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_double_': class 'google::protobuf::RepeatedField<double>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1050): message : see declaration of 'google::protobuf::RepeatedField<double>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1075,24): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_float_': class 'google::protobuf::RepeatedField<float>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1049): message : see declaration of 'google::protobuf::RepeatedField<float>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1076,23): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_bool_': class 'google::protobuf::RepeatedField<bool>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1044): message : see declaration of 'google::protobuf::RepeatedField<bool>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(48,76): warning C4251: 'TableStruct_google_2fprotobuf_2fdescriptor_2eproto::aux': union 'google::protobuf::internal::AuxiliaryParseTableField' needs to have dll-interface to be used by clients of struct 'TableStruct_google_2fprotobuf_2fdescriptor_2eproto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/generated_message_table_driven.h(141): message : see declaration of 'google::protobuf::internal::AuxiliaryParseTableField' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(488,93): warning C4251: 'google::protobuf::FileDescriptorSet::file_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FileDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorSet' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(470): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FileDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(873,49): warning C4251: 'google::protobuf::FileDescriptorProto::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(875,58): warning C4251: 'google::protobuf::FileDescriptorProto::dependency_': class 'google::protobuf::RepeatedPtrField<std::basic_string<char,std::char_traits<char>,std::allocator<char>>>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_ptr_field.h(1235): message : see declaration of 'google::protobuf::RepeatedPtrField<std::basic_string<char,std::char_traits<char>,std::allocator<char>>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(876,89): warning C4251: 'google::protobuf::FileDescriptorProto::message_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(667): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(877,93): warning C4251: 'google::protobuf::FileDescriptorProto::enum_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(685): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(878,96): warning C4251: 'google::protobuf::FileDescriptorProto::service_': class 'google::protobuf::RepeatedPtrField<google::protobuf::ServiceDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(703): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::ServiceDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(879,94): warning C4251: 'google::protobuf::FileDescriptorProto::extension_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(721): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(880,53): warning C4251: 'google::protobuf::FileDescriptorProto::public_dependency_': class 'google::protobuf::RepeatedField<int32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1045): message : see declaration of 'google::protobuf::RepeatedField<int32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(881,53): warning C4251: 'google::protobuf::FileDescriptorProto::weak_dependency_': class 'google::protobuf::RepeatedField<int32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1045): message : see declaration of 'google::protobuf::RepeatedField<int32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1075,49): warning C4251: 'google::protobuf::DescriptorProto_ExtensionRange::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto_ExtensionRange' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1249,49): warning C4251: 'google::protobuf::DescriptorProto_ReservedRange::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto_ReservedRange' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1593,49): warning C4251: 'google::protobuf::DescriptorProto::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1595,94): warning C4251: 'google::protobuf::DescriptorProto::field_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(721): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1596,89): warning C4251: 'google::protobuf::DescriptorProto::nested_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(667): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1597,93): warning C4251: 'google::protobuf::DescriptorProto::enum_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(685): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1598,104): warning C4251: 'google::protobuf::DescriptorProto::extension_range_': class 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto_ExtensionRange>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1461): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto_ExtensionRange>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1599,94): warning C4251: 'google::protobuf::DescriptorProto::extension_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(721): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1600,94): warning C4251: 'google::protobuf::DescriptorProto::oneof_decl_': class
Desktop (please complete the following information):
Additional context
Protobuf Version: main/v3.19.4
Openedr version: V2.5.1.0
Language: C++
IDE: Visual Studio 2019 community edition
I don't understand how to resolve it. Please help me to resolve these issues. I will be very thankful to you for a great community.
Please help me, your helping hand will be appreciated a lot.
I am lost and trying a lot to resolve this issue but couldn't get success.
Now your expertise can save me.
@ozercomodo @Cunfuu @ComodoMelih @seroza @yucecengiz @stnert @pbasilcom
Thanks, community.
Currently we have a parse problem for filebeat, every event should start on new line.
Lets have multi-line and single-line option as configurable
Error Message:
Updating files: 100% (66966/66966), done.
Downloading edrav2/build/buildpipe/Tools/7za.exe (740 KB)
Error downloading object: edrav2/build/buildpipe/Tools/7za.exe (ea308c7): Smudge error: Error downloading edrav2/build/buildpipe/Tools/7za.exe (ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d): batch response: This repository is over its data quota. Account responsible for LFS bandwidth should purchase more data packs to restore access.
Is your feature request related to a problem? Please describe.
Yes #30 #30 this feature request is so big but if replace it then Comodo have open source anti-virus and can make profit with that
Describe the solution you'd like
Just create a team for that and unite with Xylent. I know it's so revolutinary idea but it going to make Comodo profit so big
Describe alternatives you've considered
Alternative solution is if no one accept that project then I going to create my team for that project
Additional context
Auto containment techonology should under with that project if we do that and use otherrules etc. the antivirus become very strong than you imagine
Hey guys, I realized that the logs in the output folder C:\ProgramData\edrsvc\log\output_events, although they are a valid JSON, do not have a proper CRLF (carriage return line ending) (as you can see in line 57 below).
This is a bit problematic if you want to read the logs with Filebeat for instance. Is it possible to add a CRLF per line? Or even better that the JSON are not beautified (not pretty output)? That way we save time because there will be a JSON log per line with a proper carriage return.
Hello, Everyone
Does someone rebuild this "open source" EDR successfully? I tried, but failed. Under Visual Studio 2019, the compilation failed with errors: 1) madCHook.h, No Such File or Directory. 2) System Includes.h No such file or directory. 3) No libboost_date_time-vc142-mt-sgd-x64-1_70.lib。
I'm not sure whether this project is indeed going to work for everyone. If not, I will try other open source projects for academic use. If yes, please give more instructions about how to compile and rebuild this project.
Thanks
So I'm fairly new to security research, not sure if EDR developers are typically friendly to research aiming to break into their product, but I do think it's ultimately a good thing for this kind of thing to be done, especially when it's published for all to learn from / respond to rather than quietly developed to be abused for cyber crime. After doing this I'll definitely share a write-up of the results, maybe even privately with the contributors here if possible ahead of a public paper.
Some questions I want to answer:
If we can demonstrate 1
to be true and 2
to be false (by defeating all the publicly available EDRs), then it would be really important to answer 3
(preferably in the affirmative).
I decided to start out testing against OpenEDR, since the source being available should make it the easiest tool to build a testing pipeline for. Some things I intend to test against this EDR:
And if anyone close to the project's development would be willing to have discussion on some of the low-level advanced concepts involved, maybe exchange some back-and-forths on penetration approaches, perhaps we could all learn something.
The links above all point to posts by my reddit account, so it shouldn't be hard to get in touch if anyone likes, or else I'd be happy to have some discussion here openly within this issue. Basically for now I'm just hoping to learn about the core components of the EDR and sort of where this tool stands between 'state-of' and 'edge-of' the art against the various defeat methods I'm interested in testing. It would save me a lot of time to have that dialogue.
Hook evasion research: A little more on my research and why I say kernel hooks are most useful; It's just because of the way evasion (due to the existence of dynamic jump destinations based on conditions fundamentally uncertain to the defender combined with the variable-length nature of the x86 instruction set) makes it impossible for endpoint defense products to reliably predict what a program will do. The true control flow is fundamentally unknown. But in order to create an effect, the attacker must interface with the hardware or other processes in some way, which it must ask the kernel for permission to do (system calls). By 'hooking' (redirecting control flow to intermediately executed security subroutines) any calls to the kernel, the defender can gain valuable insight into the behavior of the program when it executes on its intended target, despite evasive behavior, and potentially recognize / stop the threat. So as the attacker, we really need to avoid these kernel hooks. Windows actually really hurts the defender here by forcing its own implementation of this (here's an example of this for filesystem interaction), so by exploiting this single implementation, every single endpoint security product which leverages Windows kernel hooks can potentially be subverted.
Binary obfuscation research: So right now I would say most attacks don't involve great obfuscation. Some of the best source code obfuscation tools out there (like Tigress) are aimed at preventing reverse engineering (because that's where the money is) moreso than avoiding detection, resulting in very recognizable control flow graph patterns and well, binary obfuscation is hard. But binary obfuscation is much more powerful, and it is likely possible to innovate in this space, through the approach I mentioned previously and others. Even where we might struggle to evade certain kernel-level system call hooks, we can add noise to this analysis channel. This could fool some signatures based on analyzing system call sequences, although other heuristic based signatures might not be fooled, hence the importance of the previous bullet for attacking those more robust defenses by evading the hooks themselves. Still other signature metrics exist beyond system call sequences, to include resource usage patterns, register activity patterns, and so on, all of which an EDR endpoint sensor might seek to analyze.
But this list will probably double in size as I probe the EDR and see what mechanisms and detection strategies are used. I'll comment on this thread as I find potential attack vectors against the tool and better understand its inner workings, and seek further discussion with anyone interested in this. As I said, I'm no veteran researcher and I surely have much to learn on the topic. Thanks ahead of time for any advice or insight given!
Hi there,
the parsing of pretty json log messages is not possible even with the multiline json option in filebeat.
The problem is that there is no newline after closing curly bracket and beginning of the new document.
}{
i read in the issues that this has been fixed.
Can you run another build with fixed stuff and put it into release?
Thanks in advance
I have found two issues that can be chained by an attacker with high privileges in order to inject arbitrary hooks into any monitored process in an endpoint running openEDR.
The EDR's injector driver loads specific DLLs into monitored processees to hook certain Windows APIs. However, the driver does not check correctly the loaded DLLs' signatures at all. This allows an attacker with high integrity privileges to use this legitimate driver, signed by Comodo, to load a malicious DLLs and perform userland hooking.
The isDllVerified() function is not being used and does not work correctly in current Windows versions.
The injector driver searches for DLLs to inject into the monitored processes in a predefined list of paths in priority order. The issue stems from the fact that, even though the second of these paths is properly protected, the first is not. This allows a user with high integrity privileges to drop a malicious DLL into this path, or overwrite a legitimate DLL in such path.
Hello. I am a security enthusiast who wants to start contributing to OpenEDR.
I am currently working in a well known XDR solution.
I have a real security background including DFIR, Malware analysis, Tools, POC's, etc'
At the moment I am in the Linux/Mac dev team in Cynet, Writing in C, C++, C#, Lua.
However, I visited your GitHub and I see almost no activity in the year.
Is the project still alive?
Due to the commercial licensing of MadcHook, we want to replace it with Microsoft Detours https://github.com/microsoft/Detours . We need contributors to implement that with us. We will break it down into subtasks,
Hi,
As per readme at the time it publish the elasticsearch does not have openedr module. Is it supported now ?
Thanks
Hey I'm trying to figure out how this project works, can someone tell me where the "nfwfpdrv" driver is located how it is being installed and where I can find its source code if available
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.