is this project dead???

edrav2/eprj/curl/lib/vtls/vtls.c:

CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
const char *pinnedpubkey,
const unsigned char *pubkey, size_t pubkeylen)
{
........

/* compute sha256sum of public key */
sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
if(!sha256sumdigest)
  return CURLE_OUT_OF_MEMORY;

//sha256sumdigest malloc ok

encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
                    sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);

if(encode != CURLE_OK)
  return encode;
**// here  maybe memleak**

encode = Curl_base64_encode(data, (char *)sha256sumdigest,
                            CURL_SHA256_DIGEST_LENGTH, &encoded,
                            &encodedlen);
Curl_safefree(sha256sumdigest);

if(encode)
  return encode;

.....

Hey guys, I realized that the logs in the output folder C:\ProgramData\edrsvc\log\output_events, although they are a valid JSON, do not have a proper CRLF (carriage return line ending) (as you can see in line 57 below).

This is a bit problematic if you want to read the logs with Filebeat for instance. Is it possible to add a CRLF per line? Or even better that the JSON are not beautified (not pretty output)? That way we save time because there will be a JSON log per line with a proper carriage return.

I wonder if OpenEDR can replace anti-virus software like trendmicro officescan. If so, then there must be some signature-based or other form of virus rule updates every day or week. Then how do I know if it is reliable to detect viruses and threats?

Error Message:

Updating files: 100% (66966/66966), done.
Downloading edrav2/build/buildpipe/Tools/7za.exe (740 KB)
Error downloading object: edrav2/build/buildpipe/Tools/7za.exe (ea308c7): Smudge error: Error downloading edrav2/build/buildpipe/Tools/7za.exe (ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d): batch response: This repository is over its data quota. Account responsible for LFS bandwidth should purchase more data packs to restore access.

Your README and the press are calling this Open Source software.
But your License.md is the Commons Clause which explicitly says it is not Open Source:

Is this “Open Source”?
No.
“Open source”, has a specific definition that was written years ago and is stewarded by the Open Source Initiative, which approves Open Source licenses. Applying the Commons Clause to an open source project will mean the source code is available, and meets many of the elements of the Open Source Definition, such as free access to source code, freedom to modify, and freedom to re-distribute, but not all of them.

The difference is of course major for anyone who wants to join you in providing OpenEDR as a product.

Please fix your README.

Is your feature request related to a problem? Please describe.
Yes #30 #30 this feature request is so big but if replace it then Comodo have open source anti-virus and can make profit with that

Describe the solution you'd like
Just create a team for that and unite with Xylent. I know it's so revolutinary idea but it going to make Comodo profit so big
Describe alternatives you've considered
Alternative solution is if no one accept that project then I going to create my team for that project
Additional context
Auto containment techonology should under with that project if we do that and use otherrules etc. the antivirus become very strong than you imagine

Hi,

can someone share their Filebeat.yml configuration file? I can't seem to configure it right to show the logs that the OpenEDR collects... it only sends the metadata etc...

My filebeat.yml configuration:

**filebeat.inputs:

• type: log
  enabled: true
  paths:
  • c:\programdata\edrsvc\log\output_events*
    json.keys_under_root: true
    json.add_error_key: true
    json.message_key: log**

Maybe something to do with multiline.pattern?

Thanks ahead!

Add option to search for IoC on endpoints with using Yara rules. These rules could be imported to central console and distributed via console requests to endpoints_

So I'm fairly new to security research, not sure if EDR developers are typically friendly to research aiming to break into their product, but I do think it's ultimately a good thing for this kind of thing to be done, especially when it's published for all to learn from / respond to rather than quietly developed to be abused for cyber crime. After doing this I'll definitely share a write-up of the results, maybe even privately with the contributors here if possible ahead of a public paper.

Some questions I want to answer:

1. Could an open source project implement edge of the art payload anti-detection tradecraft in such a way to allow any non-sophisticated threat actor to leverage it easily?
2. Can publicly available endpoint threat detection tools (i.e. not custom tools or private tech for defense contractors / nation-states) deal with edge of the art payload anti-detection tradecraft effectively? Even get close?
3. If not, could we make an open-source tool (or improve one, for example this one) to be good enough to do that?

If we can demonstrate 1 to be true and 2 to be false (by defeating all the publicly available EDRs), then it would be really important to answer 3 (preferably in the affirmative).

I decided to start out testing against OpenEDR, since the source being available should make it the easiest tool to build a testing pipeline for. Some things I intend to test against this EDR:

• A new (maybe?) form of binary obfuscation. At least I haven't seen any literature on it, but I find relevant research I hadn't seen before every day, so who knows.
• A fresh take on some well known approaches to evading hooks to include getting rid of any visible jump tables
• Avoiding common OS API and standard lib hooks by importing obfuscated fresh copies of those libraries
• Using uncertainty in jump destinations to prevent behavior analysis outside of the intended target environment (evasion)
• If Event Tracing for Windows is being leveraged, I'll be testing some defeat methods (see last few paragraphs on that post) against that.
• To get really close to what I think might be the edge of the art in this problem-space, Windows does expose some built-in kernel hooking APIs which seem most useful (short of hooks injected via direct kernel patching, which Windows has long since prevented from happening) and if this EDR is using them, I'll be researching some ways to defeat those.

And if anyone close to the project's development would be willing to have discussion on some of the low-level advanced concepts involved, maybe exchange some back-and-forths on penetration approaches, perhaps we could all learn something.

The links above all point to posts by my reddit account, so it shouldn't be hard to get in touch if anyone likes, or else I'd be happy to have some discussion here openly within this issue. Basically for now I'm just hoping to learn about the core components of the EDR and sort of where this tool stands between 'state-of' and 'edge-of' the art against the various defeat methods I'm interested in testing. It would save me a lot of time to have that dialogue.

Hook evasion research: A little more on my research and why I say kernel hooks are most useful; It's just because of the way evasion (due to the existence of dynamic jump destinations based on conditions fundamentally uncertain to the defender combined with the variable-length nature of the x86 instruction set) makes it impossible for endpoint defense products to reliably predict what a program will do. The true control flow is fundamentally unknown. But in order to create an effect, the attacker must interface with the hardware or other processes in some way, which it must ask the kernel for permission to do (system calls). By 'hooking' (redirecting control flow to intermediately executed security subroutines) any calls to the kernel, the defender can gain valuable insight into the behavior of the program when it executes on its intended target, despite evasive behavior, and potentially recognize / stop the threat. So as the attacker, we really need to avoid these kernel hooks. Windows actually really hurts the defender here by forcing its own implementation of this (here's an example of this for filesystem interaction), so by exploiting this single implementation, every single endpoint security product which leverages Windows kernel hooks can potentially be subverted.

Binary obfuscation research: So right now I would say most attacks don't involve great obfuscation. Some of the best source code obfuscation tools out there (like Tigress) are aimed at preventing reverse engineering (because that's where the money is) moreso than avoiding detection, resulting in very recognizable control flow graph patterns and well, binary obfuscation is hard. But binary obfuscation is much more powerful, and it is likely possible to innovate in this space, through the approach I mentioned previously and others. Even where we might struggle to evade certain kernel-level system call hooks, we can add noise to this analysis channel. This could fool some signatures based on analyzing system call sequences, although other heuristic based signatures might not be fooled, hence the importance of the previous bullet for attacking those more robust defenses by evading the hooks themselves. Still other signature metrics exist beyond system call sequences, to include resource usage patterns, register activity patterns, and so on, all of which an EDR endpoint sensor might seek to analyze.

But this list will probably double in size as I probe the EDR and see what mechanisms and detection strategies are used. I'll comment on this thread as I find potential attack vectors against the tool and better understand its inner workings, and seek further discussion with anyone interested in this. As I said, I'm no veteran researcher and I surely have much to learn on the topic. Thanks ahead of time for any advice or insight given!

Sirs, good morning.

It is possible to customize the dashboards.

Currently we have a parse problem for filebeat, every event should start on new line.
Lets have multi-line and single-line option as configurable

I'm encountering errors while trying to build the openedr project. Despite multiple attempts, I haven't been able to resolve it. I have built all except libcloud and edrsvc.
Since I'm stuck, I've reached out to the maintainer for assistance. Could you please lend a hand in getting this project built successfully?
Feels like I am lost now so please give your helping hand.
@ozercomodo @Cunfuu @ComodoMelih @seroza @yucecengiz @stnert @pbasilcom

Describe the bug
I am trying to build an openEdr project that uses this library in Visual Studio 2019 with C++ Language runtime ISO C++17 Standard (/std:c++17). Once it compiles .pb.cc files, it generates lots of error 400+.

I am done with all the required library in eproj dir and finally, these errors were getting.
Except for libcloud and edrsvc all other projects have been built successfully.
I am getting Errors in the project libcloud and edrsvc only.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://github.com/ComodoSecurity/openedr'
2. Clone the repo
3. Build all the eproj libraries.
4. Go to dir 'edrav2/build/vs2019' and open the .sln file in Visual Studio with admin.
5. See errors in Visual Studio

Expected behavior
The project should be built successfully and generate .dll,.lib, .sys, and .exe files wherever applicable without any errors.

Screenshots

Build started... 1>------ Build started: Project: libcloud, Configuration: Debug x64 ------ 1>annotations.pb.cc 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/status.h(97,15): warning C4251: 'google::protobuf::util::status_internal::Status::error_message_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::util::status_internal::Status' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/logging.h(100,15): warning C4251: 'google::protobuf::internal::LogMessage::message_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::LogMessage' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/coded_stream.h(1282,28): warning C4251: 'google::protobuf::io::CodedOutputStream::default_serialization_deterministic_': struct 'std::atomic<bool>' needs to have dll-interface to be used by clients of class 'google::protobuf::io::CodedOutputStream' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\atomic(2859): message : see declaration of 'std::atomic<bool>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(307,23): warning C4251: 'google::protobuf::internal::SerialArena::space_allocated_': struct 'std::atomic<unsigned __int64>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::SerialArena' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\atomic(2871): message : see declaration of 'std::atomic<unsigned __int64>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(412,29): warning C4251: 'google::protobuf::internal::ThreadSafeArena::alloc_policy_': class 'google::protobuf::internal::TaggedAllocationPolicyPtr' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ThreadSafeArena' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(112): message : see declaration of 'google::protobuf::internal::TaggedAllocationPolicyPtr' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(415,29): warning C4251: 'google::protobuf::internal::ThreadSafeArena::threads_': struct 'std::atomic<google::protobuf::internal::SerialArena *>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ThreadSafeArena' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(415): message : see declaration of 'std::atomic<google::protobuf::internal::SerialArena *>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(416,29): warning C4251: 'google::protobuf::internal::ThreadSafeArena::hint_': struct 'std::atomic<google::protobuf::internal::SerialArena *>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ThreadSafeArena' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arena_impl.h(415): message : see declaration of 'std::atomic<google::protobuf::internal::SerialArena *>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(77,43): warning C4251: 'google::protobuf::internal::LazyString::inited_': struct 'std::atomic<const std::string *>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::LazyString' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(77): message : see declaration of 'std::atomic<const std::string *>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(323,26): warning C4251: 'google::protobuf::internal::ArenaStringPtr::tagged_ptr_': class 'google::protobuf::internal::TaggedPtr<std::string>' needs to have dll-interface to be used by clients of struct 'google::protobuf::internal::ArenaStringPtr' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/arenastring.h(118): message : see declaration of 'google::protobuf::internal::TaggedPtr<std::string>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/metadata_lite.h(261,15): warning C4251: 'google::protobuf::internal::LiteUnknownFieldSetter::buffer_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::LiteUnknownFieldSetter' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/message_lite.h(445,30): warning C4251: 'google::protobuf::MessageLite::_internal_metadata_': class 'google::protobuf::internal::InternalMetadata' needs to have dll-interface to be used by clients of class 'google::protobuf::MessageLite' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/metadata_lite.h(62): message : see declaration of 'google::protobuf::internal::InternalMetadata' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/implicit_weak_message.h(93,15): warning C4251: 'google::protobuf::internal::ImplicitWeakMessage::data_': class 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::ImplicitWeakMessage' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xstring(4905): message : see declaration of 'std::basic_string<char,std::char_traits<char>,std::allocator<char>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/generated_message_util.h(193,20): warning C4251: 'google::protobuf::internal::CachedSize::size_': struct 'std::atomic<int>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::CachedSize' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\atomic(2866): message : see declaration of 'std::atomic<int>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/mutex.h(136,40): warning C4251: 'google::protobuf::internal::WrappedMutex::mu_': class 'google::protobuf::internal::CallOnceInitializedMutex<std::mutex>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::WrappedMutex' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/stubs/mutex.h(136): message : see declaration of 'google::protobuf::internal::CallOnceInitializedMutex<std::mutex>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(1627,25): warning C4251: 'google::protobuf::FileDescriptor::LazyInitData::once': struct 'std::once_flag' needs to have dll-interface to be used by clients of struct 'google::protobuf::FileDescriptor::LazyInitData' 1>C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30037\include\xcall_once.h(21): message : see declaration of 'std::once_flag' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2041,27): warning C4251: 'google::protobuf::DescriptorPool::tables_': class 'std::unique_ptr<google::protobuf::DescriptorPool::Tables,std::default_delete<google::protobuf::DescriptorPool::Tables>>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorPool' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2041): message : see declaration of 'std::unique_ptr<google::protobuf::DescriptorPool::Tables,std::default_delete<google::protobuf::DescriptorPool::Tables>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2051,31): warning C4251: 'google::protobuf::DescriptorPool::unused_import_track_files_': class 'std::map<std::string,bool,std::less<std::string>,std::allocator<std::pair<const std::string,bool>>>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorPool' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.h(2051): message : see declaration of 'std::map<std::string,bool,std::less<std::string>,std::allocator<std::pair<const std::string,bool>>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(243,30): warning C4251: 'google::protobuf::io::CopyingInputStreamAdaptor::buffer_': class 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' needs to have dll-interface to be used by clients of class 'google::protobuf::io::CopyingInputStreamAdaptor' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(243): message : see declaration of 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(334,30): warning C4251: 'google::protobuf::io::CopyingOutputStreamAdaptor::buffer_': class 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' needs to have dll-interface to be used by clients of class 'google::protobuf::io::CopyingOutputStreamAdaptor' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/io/zero_copy_stream_impl_lite.h(243): message : see declaration of 'std::unique_ptr<uint8_t [],std::default_delete<uint8_t []>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/unknown_field_set.h(206,29): warning C4251: 'google::protobuf::UnknownFieldSet::fields_': class 'std::vector<google::protobuf::UnknownField,std::allocator<google::protobuf::UnknownField>>' needs to have dll-interface to be used by clients of class 'google::protobuf::UnknownFieldSet' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/unknown_field_set.h(206): message : see declaration of 'std::vector<google::protobuf::UnknownField,std::allocator<google::protobuf::UnknownField>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1070,26): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_int32_t_': class 'google::protobuf::RepeatedField<int32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1045): message : see declaration of 'google::protobuf::RepeatedField<int32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1071,26): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_int64_t_': class 'google::protobuf::RepeatedField<int64_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1047): message : see declaration of 'google::protobuf::RepeatedField<int64_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1072,27): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_uint32_t_': class 'google::protobuf::RepeatedField<uint32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1046): message : see declaration of 'google::protobuf::RepeatedField<uint32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1073,27): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_uint64_t_': class 'google::protobuf::RepeatedField<uint64_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1048): message : see declaration of 'google::protobuf::RepeatedField<uint64_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1074,25): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_double_': class 'google::protobuf::RepeatedField<double>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1050): message : see declaration of 'google::protobuf::RepeatedField<double>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1075,24): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_float_': class 'google::protobuf::RepeatedField<float>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1049): message : see declaration of 'google::protobuf::RepeatedField<float>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/extension_set.h(1076,23): warning C4251: 'google::protobuf::internal::RepeatedPrimitiveDefaults::default_repeated_field_bool_': class 'google::protobuf::RepeatedField<bool>' needs to have dll-interface to be used by clients of class 'google::protobuf::internal::RepeatedPrimitiveDefaults' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1044): message : see declaration of 'google::protobuf::RepeatedField<bool>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(48,76): warning C4251: 'TableStruct_google_2fprotobuf_2fdescriptor_2eproto::aux': union 'google::protobuf::internal::AuxiliaryParseTableField' needs to have dll-interface to be used by clients of struct 'TableStruct_google_2fprotobuf_2fdescriptor_2eproto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/generated_message_table_driven.h(141): message : see declaration of 'google::protobuf::internal::AuxiliaryParseTableField' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(488,93): warning C4251: 'google::protobuf::FileDescriptorSet::file_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FileDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorSet' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(470): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FileDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(873,49): warning C4251: 'google::protobuf::FileDescriptorProto::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(875,58): warning C4251: 'google::protobuf::FileDescriptorProto::dependency_': class 'google::protobuf::RepeatedPtrField<std::basic_string<char,std::char_traits<char>,std::allocator<char>>>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_ptr_field.h(1235): message : see declaration of 'google::protobuf::RepeatedPtrField<std::basic_string<char,std::char_traits<char>,std::allocator<char>>>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(876,89): warning C4251: 'google::protobuf::FileDescriptorProto::message_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(667): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(877,93): warning C4251: 'google::protobuf::FileDescriptorProto::enum_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(685): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(878,96): warning C4251: 'google::protobuf::FileDescriptorProto::service_': class 'google::protobuf::RepeatedPtrField<google::protobuf::ServiceDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(703): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::ServiceDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(879,94): warning C4251: 'google::protobuf::FileDescriptorProto::extension_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(721): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(880,53): warning C4251: 'google::protobuf::FileDescriptorProto::public_dependency_': class 'google::protobuf::RepeatedField<int32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1045): message : see declaration of 'google::protobuf::RepeatedField<int32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(881,53): warning C4251: 'google::protobuf::FileDescriptorProto::weak_dependency_': class 'google::protobuf::RepeatedField<int32_t>' needs to have dll-interface to be used by clients of class 'google::protobuf::FileDescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/repeated_field.h(1045): message : see declaration of 'google::protobuf::RepeatedField<int32_t>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1075,49): warning C4251: 'google::protobuf::DescriptorProto_ExtensionRange::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto_ExtensionRange' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1249,49): warning C4251: 'google::protobuf::DescriptorProto_ReservedRange::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto_ReservedRange' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1593,49): warning C4251: 'google::protobuf::DescriptorProto::_has_bits_': class 'google::protobuf::internal::HasBits<1>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/has_bits.h(83): message : see declaration of 'google::protobuf::internal::HasBits<1>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1595,94): warning C4251: 'google::protobuf::DescriptorProto::field_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(721): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1596,89): warning C4251: 'google::protobuf::DescriptorProto::nested_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(667): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1597,93): warning C4251: 'google::protobuf::DescriptorProto::enum_type_': class 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(685): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::EnumDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1598,104): warning C4251: 'google::protobuf::DescriptorProto::extension_range_': class 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto_ExtensionRange>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1461): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::DescriptorProto_ExtensionRange>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1599,94): warning C4251: 'google::protobuf::DescriptorProto::extension_': class 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' needs to have dll-interface to be used by clients of class 'google::protobuf::DescriptorProto' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(721): message : see declaration of 'google::protobuf::RepeatedPtrField<google::protobuf::FieldDescriptorProto>' 1>C:\openedrBuild\openedrNew\openedr-release-2.5.1\openedr-release-2.5.1\edrav2\eprj\protobuf\include\google/protobuf/descriptor.pb.h(1600,94): warning C4251: 'google::protobuf::DescriptorProto::oneof_decl_': class

Desktop (please complete the following information):

• OS: Windows
• Browser: NA
• Version: OS 10

Additional context
Protobuf Version: main/v3.19.4
Openedr version: V2.5.1.0
Language: C++
IDE: Visual Studio 2019 community edition

I don't understand how to resolve it. Please help me to resolve these issues. I will be very thankful to you for a great community.
Please help me, your helping hand will be appreciated a lot.
I am lost and trying a lot to resolve this issue but couldn't get success.
Now your expertise can save me.
@ozercomodo @Cunfuu @ComodoMelih @seroza @yucecengiz @stnert @pbasilcom

Thanks, community.

I have found two issues that can be chained by an attacker with high privileges in order to inject arbitrary hooks into any monitored process in an endpoint running openEDR.

1. Unsigned DLL Loading in the Injector Module

The EDR's injector driver loads specific DLLs into monitored processees to hook certain Windows APIs. However, the driver does not check correctly the loaded DLLs' signatures at all. This allows an attacker with high integrity privileges to use this legitimate driver, signed by Comodo, to load a malicious DLLs and perform userland hooking.

The isDllVerified() function is not being used and does not work correctly in current Windows versions.

2. DLL Hijacking in the Injector Module

The injector driver searches for DLLs to inject into the monitored processes in a predefined list of paths in priority order. The issue stems from the fact that, even though the second of these paths is properly protected, the first is not. This allows a user with high integrity privileges to drop a malicious DLL into this path, or overwrite a legitimate DLL in such path.

My OpenEDR requested a password reset because it had expired, after that, I reset the password, and when trying to log in to the dashboard, the KeePassXC TOTP that I use says that the TFA is invalid.

Please follow the screenshot for more information.

Thanks.

We need to get rid of encryption so the user can change the local file and apply changes.
The local policies should be the same as JSON format we use in paid-EDR
In local mode, it should read local policy changes and then apply it without restarting agent.

Hi everybody. I'm new and started learning about OpenEDR but when I read the documentation to deploy on my local machine I couldn't understand it. So can anyone guide me step by step to build OpenEDR on self-host? Sincerely thank.

We were silent but working hard to replace MadcHook. As you know This was blocker since MadcHook is a licenced product.
Now we have replaced all but we need extensive testing for compatibility.

We will make our binaries available before pushing it to public repo. Please let us know if you can contribute

Due to the commercial licensing of MadcHook, we want to replace it with Microsoft Detours https://github.com/microsoft/Detours . We need contributors to implement that with us. We will break it down into subtasks,

I encountered this error when I went to log in. And yes, I don't have any cookie blocker enabled on the domain.

Maintainers - @ozercomodo

Describe the bug
nfapi.h not found
To Reproduce
Run project at Visual Studio 2019

Expected behavior
No compile problems

Screenshots

Desktop (please complete the following information):
Windows 11

Dear Sirs,

Please explain how it is possible to contribute to this project?

I ask because it implies it is "open", however it requires the madhookcode library which you have to purchase at http://www.madcodehook.com/madCodeHookDescription.htm

I will try contacting the developer directory.

Hi,
As per readme at the time it publish the elasticsearch does not have openedr module. Is it supported now ?

Thanks

For roadmap items, I created another repository to make it visible to everyone. Please check: https://github.com/ComodoSecurity/openedr_roadmap/projects/1

I have filebeat picking up the logs from C:\\ProgramData\edrsvc\log\output_events\*.log and sending them to elasticsearch. However, I cannot parse the logs, as they are multiline json with no newline between (}{).

If we could make each log take up one line, or at least put a newline between json objects, that should make it possible for filebeat->elasticsearch to parse them.

edrav2/eprj/curl/lib/escape.c

char *curl_easy_escape(struct Curl_easy *data, const char *string,
int inlength)
{
....

alloc = (inlength?(size_t)inlength:strlen(string)) + 1;
newlen = alloc;

//malloc the ns memery
ns = malloc(alloc);
if(!ns)
return NULL;
//malloc ok

length = alloc-1;
while(length--) {
unsigned char in = string; / we need to treat the characters unsigned */

if(Curl_isunreserved(in))
  /* just copy this */
  ns[strindex++] = in;
else {
  /* encode it */
  newlen += 2; /* the size grows with two, since this'll become a %XX */
  if(newlen > alloc) {
    alloc *= 2;
    testing_ptr = Curl_saferealloc(ns, alloc);
    if(!testing_ptr)
      return NULL;
      // Here  will cause the memery leak.
    
.....

}

Hi there,
the parsing of pretty json log messages is not possible even with the multiline json option in filebeat.
The problem is that there is no newline after closing curly bracket and beginning of the new document.
}{

i read in the issues that this has been fixed.
Can you run another build with fixed stuff and put it into release?

Thanks in advance

I want to compile OpenEdr, and I also purchased Netfilter Sdk and MadcHook, but when I was compiling, I found nfapi::cmdedr related classes. May I ask if this class can be open source.

Hey I'm trying to figure out how this project works, can someone tell me where the "nfwfpdrv" driver is located how it is being installed and where I can find its source code if available

Hello. I am a security enthusiast who wants to start contributing to OpenEDR.
I am currently working in a well known XDR solution.
I have a real security background including DFIR, Malware analysis, Tools, POC's, etc'
At the moment I am in the Linux/Mac dev team in Cynet, Writing in C, C++, C#, Lua.

However, I visited your GitHub and I see almost no activity in the year.
Is the project still alive?

Urgent help wanted to test first release, please also express your environment, test steps and expected result : success or failure

I cannot uninstall openedr from Add/Remove program , it says no permission

i tried this from command line as system user and it works

msiexec /x OpenEDR-installation-2.0.0.0-x64.msi

Hello, Everyone

 Does someone rebuild this "open source" EDR successfully? I tried, but failed. Under Visual Studio 2019, the compilation failed with errors: 1) madCHook.h, No Such File or Directory. 2) System Includes.h No such file or directory. 3) No libboost_date_time-vc142-mt-sgd-x64-1_70.lib。

I'm not sure whether this project is indeed going to work for everyone. If not, I will try other open source projects for academic use. If yes, please give more instructions about how to compile and rebuild this project.

Thanks

Hi,

when i try (as admin or system) to stop edrsvc using sc stop edrsvc, i am getting this

**[SC] ControlService FAILED 1052:

The requested control is not valid for this service.**

Thanks for help

Hello,

Only Windows, any linux build? :(