Introduction to Padvish EDR Modules
The Padvish EDR system comprises several modules that can be chosen based on the license. These modules are as follows:
- Main EDR Module:
This module includes essential EDR modules, including sensors, alerts, threat hunting, scanning, etc. It serves as the core functionality of EDR, focusing on detection and response. - File Library Module:
The file library module is designed to collect executable files from all EDR clients for analytical operations. This library offers a basic service of automatically collecting, storing, and sending files to analysis modules such as MultiAV, sandbox, and static file analyzer. Additionally, it stores the results of file analyses. - Multi-AV Module:
True to its name, the Multi AV module is designed to scan files using different antivirus engines and present their results. This technique proves to be one of the quickest ways to detect underdetected malware. The module leverages the detection capabilities of multiple antiviruses by combining their results. The accuracy of detection is the aggregation of the detection results of all antiviruses. - Sandbox Module:
The Sandbox module offers a dynamic file analyzer service, representing one of the most effective automatic methods for detecting entirely unknown malware. In this detection method, the file is transferred to an isolated environment (sandbox) and executed there. The file’s exact behavior undergoes thorough investigation, with all types of suspicious or non-suspicious operations being logged and reported. The final result assists the user in determining whether the executed file was malicious and in understanding the scope of its operations. - File Static Analyzers Modules:
The File Static Analyzers module is designed to provide a structural (static) analysis of sccaned files. The engines within this module are categorized based on the file type and target operating system, allowing users to make separate selections for Windows, Linux, and Android.
This module features a range of diverse analysis engines that extract information, including digital signature details, utilized executable libraries, critical strings, packing and encryption status, executable machine type, and more, from the file. The extracted information is then presented to the user for further analysis
How to Use This Article
Based on several factors, including the modules specified in your license, the number of users (endpoints), the duration for storing logs and files, and the volume of events/files generated within your organization, various installation requirements are required. This article aims to introduce the minimum acceptable requirements for a network with regular usage.
The article is organized into the following sections:
- Installation Requirements of Padvish EDR Base:
This section outlines the minimum installation requirements for the basic EDR license, EDR Base. In this version, only the main modules are included, and there are no additional modules such as MultiAV and Sandbox. - Requirements to Install Additional Modules:
In this section, the individual requirements for each module are listed separately. These requirements must be added to the basic requirements.
Tips for Installation
- Typically, the installation process requires one or more virtual machines.
- However, it is important to note that the sandbox module must be run on a separate physical hardware, specifically bare metal.
- The installation and setup of the EDR Base can be performed on one or multiple Linux servers. However, the MultiAV module requires Windows machines.
- If your network already has SQL Server and Elasticsearch services with sufficient processing capacity, it is advisable to utilize these existing services. It is worth mentioning that the requirements outlined in this document are based on the assumption of a complete deployment of these services.
- In order to reduce the pressure on the server and optimize resource utilization, it is advisable to distribute the virtual machines across multiple servers.
- It is highly recommended to employ SSD or NVMe hard drives for storing ElasticSearch. However, the file library module can be stored on conventional hard drives.
Provided specifications are proposed for storing clients’ information for a period of 30 days.
Installation Requirements of Padvish EDR Base
This package represent exclusively a Basic EDR and does not include modules such as FAM, file library, MultiAV, etc.
|
Network (Mbps) |
SSD(GB) |
HDD(GB) |
CPU(Core) |
RAM (GB) |
Estimated EPS |
Clients |
|---|---|---|---|---|---|---|
| 2.4 | 10 | 650 | 4 | 19 | 300 | 1,000 |
| 4.8 | 20 | 1,200 | 4 | 20 | 600 | 2,000 |
| 12 | 50 | 3,000 | 5 | 22 | 1,500 | 5,000 |
| 24 | 100 | 6,000 | 6 | 26 | 3,000 | 10,000 |
| 48 | 200 | 12,000 | 8 | 34 | 6,000 | 20,000 |
| 120 | 500 | 30,000 | 14 | 58 | 15,000 | 50,000 |
The above specifications are tailored for standard usage and may vary based on the volume of event creation within systems across different networks.
File Library Module
| Clients | FPD | RAM (GB) | CPU (Core) | HDD (GB) | Network (Mbps) |
|---|---|---|---|---|---|
| 1,000 | 1,000 | 2 | 2 | 10 | 0.026 |
| 2,000 | 2,000 | 2 | 2 | 20 | 0.053 |
| 5,000 | 5,000 | 2 | 2 | 50 | 0.132 |
| 10,000 | 10,000 | 2 | 2 | 100 | 0.265 |
| 20,000 | 20,000 | 2 | 2 | 200 | 0.530 |
| 50,000 | 50,000 | 2 | 2 | 500 | 1.325 |
- The values specified above must be added to the values of EDR Base and other modules in use.
- The changes of executable files ( Files Per Day) are calculated in a long-term average and under normal conditions. It’s important to note that the provided numbers should be considered as minimal requirements.
- The hard drive space is allocated for files archiving, and if there is no need for a long-term archive, new files will replace the previous ones.
Multi-AV Module
| Clients | FPD | RAM (GB) | CPU (Core) | HDD (GB) | Network (Mbps) |
|---|---|---|---|---|---|
| 10,000 | 14,400 | 2 | 2 | 25 | – |
| 20,000 | 28,800 | 4 | 4 | 50 | – |
| 50,000 | 72,000 | 10 | 10 | 125 | – |
- These values must be duplicated for each antivirus. If all 6 antiviruses are deployed, these values must be multiplied by 6.
- Additionally, the specifications mentioned above should be combined with the values of EDR Base and any other modules in use.
- The volume of executable files’ changes ( Files Per Day) are calculated in a long-term average and under normal conditions. It’s important to note that the provided numbers should be considered as minimal requirements.
- It’s important to emphasize that this module should be utilized in conjunction with the File Library module, and any FPD considerations made for the File Library module will also be applicable to this module.
File Static Analyzers Module
| Clients | FPD | RAM (GB) | CPU (Core) | HDD(GB) | Network (Mbps) |
|---|---|---|---|---|---|
| 10,000 | 144,000 | 2 | 1 | 25 | – |
| 20,000 | 288,000 | 4 | 2 | 50 | – |
| 50,000 | 720,000 | 10 | 5 | 125 | – |
- The values specified above must be added to the values of EDR Base and other modules in use.
- The changes of executable files ( Files Per Day) are calculated in a long-term average and under normal conditions. It’s important to note that the provided numbers should be considered as minimal requirements.
- It’s important to emphasize that this module should be utilized in conjunction with the File Library module, and any FPD considerations made for the File Library module will also be applicable to this module.
SandBox Module
| Clients | FPD | RAM (GB) | CPU (Core) | HDD(GB) |
|---|---|---|---|---|
| 1,000 | 1,000 | 6 | 4 | 45 |
| 2,000 | 2,000 | 8 | 6 | 70 |
| 5,000 | 5,000 | 14 | 12 | 145 |
| 10,000 | 10,000 | 24 | 22 | 270 |
| 20,000 | 20,000 | 44 | 42 | 520 |
| 50,000 | 50,000 | 104 | 102 | 1,270 |
- The above specifications are necessary in the form of specifications for the physical machine (host).
- The values specified above must be added to the values of EDR Base and other modules in use. It’s essential to use this module in conjunction with the File Library module.
- The numbers provided in the table are reasonably estimated. Sending files to the sandbox is on the basis of administrator’s opinion. Therefore, if necessary, you have the flexibility to choose
- a machine that is either more powerful or less powerful than the corresponding line based on your specific requirements.
EDR Expert
| Clients | EPS | RAM (GB) | CPU Core | HDD(GB) | SSD (GB) | Network (Mbps) |
|---|---|---|---|---|---|---|
| 1,000 | 300 | 41 | 23 | 850 | 10 | 2.4 |
| 2,000 | 600 | 44 | 25 | 1,485 | 20 | 4.8 |
| 5,000 | 1,500 | 52 | 32 | 3,390 | 50 | 12 |
| 10,000 | 3,000 | 66 | 43 | 6,565 | 100 | 24 |
- The numbers presented below are derived from the above tables and are provided here for the purpose of simplicity, assuming deploying 6 antiviruses. It is important to take into account all the points discussed in the previous cases in this context as well.
- Certain aspects of the above specifications, related to sandbox module must be physically provided, while the remaining can be provided virtually.
- Furthermore, the considerations made about EPS and FPD, along with the corresponding estimates mentioned in the previous modules, should also be taken into consideration here.