EDR Status service

The EDR Status service monitors the actions and status of SolarWinds Endpoint Detection & Response (EDR), helping you to confirm that EDR has been successfully installed, is running properly, and providing insight into if there are any issues detected by EDR that require action on your part.

This service queries the installation of SW EDR by running the SentinelCtl.exe executable, and then analyzing the results. The SentinelCtl.exe executable is part of the SW EDR install package; for information on how to run the executable, please refer to the following KB article:

https://documentation.solarwindsmsp.com/EDR/Content/sentinelctl/sentinelctl_windows_agent.htm

Details

Name Details

Instances on a Device

1

Supported Systems/Applications

Devices running SolarWinds Endpoint Detection & Response

Device Class

Server – Windows, Workstations – Windows, Laptops - Windows

Monitored By

Windows agent

Scan Interval

10 minutes

Metrics

Metric Description

Dynamic Engines

Monitors that EDR’s Dynamic Detection Engines are loaded. This metric will report a Failed state if any of the following Engines are disabled within an EDR profile:

  • DBT – Executables
  • Documents
  • Scripts
  • Lateral Movement
  • Anti Exploitation / Fileless
  • Potentially Unwanted Applications

EDR Kernel Driver

Monitors that the EDR Kernel Driver has been loaded. Note that for the EDR Kernel Driver to be loaded, devices must be rebooted after the initial install of SW EDR, so it’s normal to see this metric report a Failed state until the device has been rebooted.

Infected Status

Monitors whether SW EDR has detected an infection on the device. This metric will only report a Failed state if an infection has been found and an action must be taken.

Is EDR Installed

Monitors whether SW EDR has been installed on the device.

Status of the EDR Windows Service

Monitors if the EDR Windows Service (Sentinel agent) is running.

Tamper Protection

Monitors the state of Tamper Protection on the device. Tamper Protection is controlled in the EDR profile, under the Agent Configuration section – look for the Anti Tamper toggle switch.