Next Generation Endpoint Detection and Response (EDR)

WatchWave agents scan the operation systems looking for zero-day malware, rootkits, and suspicious anomalies. They can detect hidden files, cloaked processes, or unregistered network listeners, as well as inconsistencies in system call responses.
In addition to agent capabilities, the server component uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise. WatchWave addresses the need for continuous monitoring and response to advanced threats. It is focused on providing.
WatchWave EDR provides advanced dashboards to demonstrate compliance with international standards security. The compliance manager, combined with its scalability and multi-platform support, help world-leading organizations meet regulatory compliance requirements.
WatchWave EDR agent runs at a host-level, combining anomaly and signature-based technologies to detect intrusions or software misuse. It can also be used to monitor user activities, assess system configuration, and detect vulnerabilities.

WatchWave EDR Files Malware Protection

WatchWave EDR has four file-based malware prevention capabilities built for:
  • 1

    Windows Portable Executable files (executable binaries compiled to run on the Windows operating system, commonly called PE files).
  • 2

    MacOS files (executable binaries compiled to run on the Mac operating system).
  • 3

    Macros (embedded executable macro code contained in Microsoft Office files for Windows).
  • 4

    Linux, Unix kernels.
WatchWave EDR endpoint agent implementation allows us to evaluate files and block malware before it’s allowed to execute. We do this usin our kernel driver, which monitors filesystem activity, process execution, module loads, and document opens. The file in question is passed to the ML model evaluation engine where features such as file entropy, header information, byte histograms, and more are extracted, and then passed through the model.
If the score generated by the model exceeds the built-in threshold for malware, blocking actions are taken and alerts generated. This allows us to block malware without the endpoint itself relying on cloud connectivity, signature distribution, or external threat intelligence.

WatchWave EDR Kernel behavioral Advanced Protections

With the file-base malware prevention, WatchWave EDR has inline behavioral evaluation and blocking against common adversary threat vectors. Rather than relying purely on the Event Tracing for Windows (ETW) data from the OS, WatchWave advanced EDR implementation leverages our kernel driver for data visibility. Combining this with detection logic in user mode, our agent is able to accurately evaluate the maliciousness of the action and threats a process is attempting.
Our behavioral protections include process of injection threat protection, credential manipulating, harvesting protection, user authentication token protection and manipulation, exploit protection, and ransomware protection. The above major EDR categories contain a number of sub-techniques that protect against specific adversary tradecraft. For example, WatchWave EDR process injection protection spans many sub-techniques used by adversaries to achieve process injection and evade traditional defenses.
WatchWave EDR regularly updates these protections to stay up to date and in front of the latest adversary tradecraft. WatchWave EDR kernel driver allows us to selectively monitor key system level activities. WatchWave EDR carefully select which system level activities to monitor based on what is necessary to observe malicious behavior without impacting system performance.
We implement many hooks that run concurrently on a system, blocking certain potentially malicious requested actions or conditions and passing data to user mode protection logic that decides whether and where the action is malicious. If malicious, WatchWave EDR driver is able to block the adversary action inline without the execution ever happening and without requiring a specific malware signature or cloud connection.
We regularly update our set of hooks and visibility to ensure we can provide our customers the best possible protection. ScanWave is proud that our deep inspection capabilities have far less impact on system utilization than many of the more inferior protection products.
Our benchmarks across ScanWave GCC, MENA regions customers show that at this very second, we are using an average of 0.43% CPU on our Windows clients, 0.27% on macOS clients, and 1.2% on Linux clients.

WatchWave EDR Adversary tradecraft protection

WatchWave EDR adversary tradecraft protections are a set of protections similar to kernel behavioral protection in that they are the result of real-time monitoring and analysis of actions on a system but are different in that they are looking at higher level indicators to map post-compromise activities of the MITRE ATT&CK matrix.
The WatchWave EDR agent is able to accurately determine maliciousness such as process command lines, relationships between files written and executed on the system, parents that spawned a process, and much more. Blocking actions related to tradecraft protections can take place on theendpoint within milliseconds — before damage or loss can occur.
WatchWave EDR supports over 100+ analytics out of the box that can be edited or extended to create new, bespoke protections. These analytics are regularly updated and extended to account for evolving adversary behaviors. With these, we describe behaviors commonly seen when malware is delivered, when malicious scripts or software executes, or when built-in tools like malicious PowerShell are misused by attackers.
WatchWave EDR implementation of adversary tradecraft protection differs significantly from other similar technology in that it operates entirely independently on the endpoint in near real time, while most other solutions require cloud connectivity. If a rule matches for an adversary behavior, WatchWave EDR alerts are generated. With a capability we call Reflex, autonomous actions can take place on the endpoint in isolation.
To achieve the highest level of protection, WatchWave EDR supports a hybrid architecture consisting of a single host agent that encapsulates all the layers mentioned for prevention, detection, and response that all managed through a centralized WatchWave platform.

Next Generation File Integrity Monitoring (FIM)

ScanWave monitors the file system as per PCI DSS, NIST requirements, identifying changes in systems executables, permissions, critical operating system files, and attributes of files also to identify users and applications used to create or modify critical files. ScanWave Next Generation SOC services File integrity monitoring is combined with advanced threat intelligence to identify threats or compromised hosts at early stages.
In addition, it supports regulatory compliance standards, NIST, PCI DSS that requires it. The right visibility, with the insights to help security analysts discover, investigate, and respond to threats and attack campaigns across multiple endpoints.
WatchWave helps detect hidden exploit processes that are more complex than a simple signature pattern, and that can be used to evade traditional antivirus systems. In addition, the WatchWave agent provides active response capabilities that can be used to block a network attack, stop a malicious process, attack, and quarantine a malware-infected file.

Ready to Get Started?

“Our specialists are ready to tailor our security service solutions to fit the needs of your organization. “