- 16 Feb 2021
- Updated on 16 Feb 2021
Elastic Endpoint Security has two general actions when confronted with a threat or adverse behavior: Detect and Prevent
Detect generates an alert but does not block or quarantine a file.
Prevent blocks and quarantines a file that exceeds a set threshold.
At Expedient, when deploying to servers with pre-existing antivirus software, the Elastic sensor is deployed in conjunction with the existing AV and left in 'Detect' mode for a period of one (1) week. After this one (1) week period elapses without issues, the existing AV is removed/uninstalled and the Endgame sensor is put into 'Prevent' mode for all "Recommended" settings under the 'Threats' section of the endpoint policy.
If the sensor is deployed to a newly built server without AV, the sensor is deployed with a 'Prevent' policy from the start.
If you experience any adverse effects, please open a ticket expedient.com/support or contact our operations support center at 1-877-570-7827.
What is the "Recommend" setting?
This pertains to the MalwareScore Thresholds.
Malware thresholds are set in the sensor configuration and determine the action the sensor should take if malware is detected. Three different threshold levels enable you to adjust malware detection and prevention preferences to be conservative, aggressive, or at the recommended level.
The following table outlines how each threshold level can affect the number of generated alerts, false positive alerts, and the likelihood of malware going undetected.
Number of Generated Alerts
Number of False Positives
Probability of Undetected Malware
To determine if a file is malicious or benign, a machine learning model looks for static attributes of files (without executing the file) that include file structure, layout, and content. This includes information such as file header data, imports, exports, section names, and file size. These attributes are extracted from millions of benign and malicious file samples, which then are passed to a machine-learning algorithm that distinguishes a benign file from a malicious one. The machine learning model is updated as new data is procured and analyzed. As such, the MalwareScore may change slightly over time.