Skip to content

v2.2.4 — EDR/XDR Detection & Version Tooling

Latest
Latest

Choose a tag to compare

View all tags
@NexusOne23 NexusOne23 released this 24 Mar 19:24
v2.2.4
d4dfe39

🔧 Enhancement Release

Third-party security product detection for ASR module and verification.

✨ What's New

EDR/XDR and Third-Party AV Detection (#15)

NoID Privacy now detects EDR/XDR products (CrowdStrike Falcon, SentinelOne, Carbon Black, etc.) that don't register in WMI's traditional AntiVirusProduct class but put Defender in Passive Mode.

3-layer detection approach:

Layer Method Catches
1 WMI SecurityCenter2 (existing) Traditional AV: Bitdefender, Kaspersky, Avira, Norton, ESET, etc.
2 Get-MpComputerStatus.AMRunningMode (new) Any product that puts Defender in Passive Mode
3 18 known EDR service names (new) Provides specific product name in logs and UI

Behavior:

  • ASR module gracefully skips when third-party product detected (Success = $true, not an error)
  • Verify script counts ASR as 19/19 verified when third-party product is primary
  • Policy report no longer counts ASR as failed when EDR/XDR is active

Supported EDR/XDR products (Layer 3 identification):
CrowdStrike Falcon, SentinelOne, Carbon Black Cloud, Cylance/Arctic Wolf Aurora, Trellix (HX/Agent/ATP), Palo Alto Cortex XDR, Bitdefender GravityZone, Kaspersky Endpoint Security, Broadcom/Symantec SEP, ESET Endpoint Security, Sophos Endpoint

Products not in this list are still detected via Layer 2 (Passive Mode) — the list only provides a human-readable name.

Version Management Tooling

  • VERSION file as single source of truth for version numbers
  • Tools/Bump-Version.ps1 — automated version bump across all 62 project files
    • DryRun mode for preview
    • CHANGELOG.md excluded (historical entries preserved)

📁 Files Changed

  • Utils/Dependencies.ps1 — New Test-ThirdPartySecurityProduct, updated Test-WindowsDefenderAvailable with IsPassiveMode
  • Modules/ASR/Public/Invoke-ASRRules.ps1 — 3-layer detection before Defender check, inline fallback for standalone mode
  • Tools/Verify-Complete-Hardening.ps1 — 3-layer detection, ASR verified as skipped when third-party product active
  • Tools/Bump-Version.ps1 — New file
  • VERSION — New file
  • 62 files updated with version bump (2.2.3 → 2.2.4)

🙏 Thanks

  • @VM-Master for reporting the CrowdStrike Falcon detection issue and confirming the fix

Full Changelog: v2.2.3...v2.2.4

Contributors

VM-Master
Assets 2
Loading