Policy Engines

The Engines section of the policy shows the RMMEDR engines on the Agent that scan and inspect activity.

RMM EDR Engines

Engine Name Description

Reputation

An engine that uses the SolarWinds Cloud to make sure that no known malicious files are written to the disk or executed. This cannot be disabled.

DFI (Deep File Inspection)

A preventive Static AI engine that scans for malicious files when written to the disk and on execute. It supports portable executable (PE) files and files that match the PE format, and Eicar test files.

DFI - Suspicious

A Static AI engine that scans for suspicious files when written to the disk and on execute. The Agent considers a file to be Suspicious when the file generates a lower AI confidence score. We recommend that you leave this Engine enabled. The indicators in Forensics will help you quickly analyze whether the file is a threat or benign. If safe, you can apply Mark as Benign to make sure the same file always gets a benign score when detected.

Application Control

An engine of the CWPP and Linux Agents that detects execution of foreign processes that impair the immutable state of the container workload. This engine runs on supported Kubernetes platforms and Linux servers running Docker.

Note: This engine works On-Write only. If you disable On-Write mode in the Engine Options, this engine is disabled.

DBT - Executables (Dynamic Behavioral Tracking)

A Behavioral AI engine that implements advanced machine learning tools. This engine detects malicious activities in real-time, when processes execute.

Documents, Scripts

A Behavioral AI engine, focused on all types of documents and scripts.

Lateral Movement

A Behavioral AI engine that detects attacks initiated by remote devices.

Anti Exploitation / Fileless

A Behavioral AI engine, focused on exploits and all fileless attack attempts, such as web-related and command line exploits.

Potentially unwanted applications

A Static AI engine on macOS devices that inspects applications that are not malicious, but are considered unsuitable for business networks.

Detect Interactive Threat

The Detect Interactive Threat engine is part of the Behavioral AI and focuses on insider threats (for example, an authenticated user runs malicious actions from a CMD or PowerShell command line). This engine detects malicious commands in interactive sessions.

It does not detect non-interactive sessions. For example, if a Word document triggers a PowerShell session that runs malicious commands, a different engine will detect that.

Detect Interactive Threat is disabled by default. If you want to protect your endpoints from malicious commands that are entered in a CLI, enable this engine. But, if you enable this engine for endpoints of active users of CLIs, you may expect a number of false positives. (Windows only)

Modes of Engine Behavior

  • On Write - Use Static AI and Reputation engines to monitor files written to disk.
  • The On Write mode, with Deep File Inspection and Reputation, is active immediately.

  • On Execute - Monitor behavior and detect malicious activity when a process initiates.

If Full disk scan on install is enabled in the policy of the Agent, it starts to scan the endpoint. This applies to Windows Agent version 2.1 and later, macOS Agent version 2.5 and later, and Linux Agent version 2.6.3 and later.

 The Dynamic Engines (Behavioral AI) mode becomes active after you or the end-user restart the endpoint.  In the Management Console, the endpoint status is Pending Reboot  until it restarts.

If necessary, you can disable the On Write or On Execute modes to use only part of the SW EDR functionality. This is not recommended as it decreases security.

Policy Engines by OS

Each policy shows all the engines that Agents can use. Some engines are supported on some operating systems but not on others. You can assign a policy to a group of Agents with mixed operating systems. There is no impact (and no message) if engines that some of the Agents cannot use are enabled.

Engine Name Windows

Reputation

DFI (Deep File Inspection)

DFI - Suspicious

Application Control  

DBT - Executables 

Documents, Scripts

Lateral Movement

Anti Exploitation / Fileless

Potentially unwanted applications

 

Detect Interactive Threat (Advanced Mode)