BI.ZONE EDR updated for better threat detection

The new BI.ZONE EDR version enhances the detection of complex threats for Windows. The Linux agent now monitors operations with inventory objects and is compatible with the Podman containerized environments. The users of BI.ZONE EDR can also set up task schedules to automate their routine processes

February 20, 2025

The update features customizable task scheduling, which allows recurring routine tasks (e.g., regular OS YARA scanning) to run automatically according to a user-defined schedule.

The BI.ZONE EDR agent for Windows introduces new functionality to better build complex algorithms for detecting malicious activity. Users can now dynamically add custom attributes to process and file objects and flexibly store arbitrary data for further access and handling. This, in particular, enables the preservation of certain statuses of OS object attributes, making this data available for future use in threat detection logic. These improvements facilitate more advanced detection algorithms that require historical context of monitored objects and call for detection logic based on event chains.

With the latest BI.ZONE EDR update, we enhanced the detection of complex threats for Windows. We also enabled compatibility with the Podman containerized environments for Linux and introduced task scheduling to automate routine processes. These improvements will boost our clients’ defenses and streamline their daily tasks.

Teymur Kheirkhabarov

Head of Cyber Threat Monitoring, Response and Research

Monitoring of operations with inventory objects is one of the key updates to the BI.ZONE EDR Linux agent. This feature ensures continuous monitoring of changes to critical OS objects. Along with initiator process data, the BI.ZONE EDR users can also get data about the changed object and the respective changes (e.g., which parameter was modified in the configuration file).

The latest BI.ZONE EDR version further enhances autonomous response in Linux environments. As part of this process, users can run any arbitrary commands and get their output. This feature allows them to go beyond the built-in response functionality and leverage custom scripts, should the IT infrastructure specifics or in-house procedures require so.

The Linux module now supports the Podman engine, which offers greater opportunities for managing and analyzing events in containerized environments. Specifically, users and administrators can access events such as taking inventory of running and stopped containers, starting or stopping a container, and enriching process run and file access events with container data. BI.ZONE EDR currently supports the monitoring of three container engines: Docker, ContainerD, and Podman.

Other major updates in the solution include new telemetry events and their enrichment scenarios and enhanced telemetry collection mechanisms for Linux (leveraging eBPF for process event collection). BI.ZONE EDR also offers advanced performance on Linux platforms through new caching and optimized inventory data collection mechanisms.

Earlier, the BI.ZONE EDR team released a research revealing that 66% of hosts in Russian companies have at least one dangerous misconfiguration that can be successfully exploited by adversaries. The most common type of misconfiguration involves password policy violations.