Agents share the same structure but use different and individual processes for collecting and receiving information from operating systems and integrations.

Myrmex Endpoint Security Event Collection Process

Myrmex Endpoint Security continuously and comprehensively collects security data using advanced technologies to monitor the operating system and connected devices, following a structured flow that ensures real-time analysis and protection.

1. Kernel Mode

Syscall interception, network monitoring, etc.

2. User Mode

Security logs, audits, registry services, etc.

3. Myrmex Endpoint Security

Capture & Normalization, Enrichment, Local Protection Engines.

4. Myrmex Security Platform

Storage, Correlation, AI, Visualization, Distributed Response Actions.

The main steps of this process are as follows:

Event Collection

Kernel

  • Syscalls (System Calls): Monitors low-level interactions, such as file accesses, file system modifications, permission changes, and network calls.
  • Network Packet Monitoring: Captures and analyzes data traffic to identify suspicious patterns, such as malicious connections.

System

  • Audit Logs: Documents critical changes, such as authentications and administrator actions.
  • Hardware and Software Inventory: Generates a complete inventory of devices and applications.
  • Event Logs: Collects information about operations performed by services and privileged users.

Process Events

  • Inter-Process Interactions: Tracks process hierarchies and their communications.
  • Associated Calls: Records associated commands and executions to identify potentially malicious activities.

Data Standardization

Collected events are normalized according to the Myrmex event model, allowing consistent analysis and integration with other platform functionalities.

Local Processing and Enrichment

Collected data undergoes advanced analysis before being transmitted to the cloud:
  • Context Addition: Events are enriched with additional information, such as source IP, geolocation, and hierarchical relationships between processes.
  • Behavioral Analysis: Specialized engines evaluate threat indicators, such as ransomware, cryptocurrency mining, abnormal resource usage, and exploits.
  • Machine Learning: Machine learning algorithms analyze data in real-time to identify anomalies and suspicious behaviors.
  • Event Classification: Events are categorized by criticality and risk levels, facilitating rapid response actions.

Local Protection (Offline/Online)

  • Malware Blocking: Detects and blocks trojans, ransomware, and spyware using signatures, heuristics, and behavioral analysis.
  • USB Device Control: Monitors connected devices, blocking unauthorized activities.
  • Automated Response: Executes corrective actions, such as:
    • Quarantining malicious files.
    • Terminating suspicious processes.
    • Isolating machines in case of critical incidents.

Secure Transmission to the Cloud

After local processing, events are sent to the Myrmex Security Platform with security guarantees:
  • Encryption: Data is initially encrypted with SHA256.
  • Secure Connection: Uses the TLS 1.3 protocol for secure transmission to the cloud platform.

Myrmex Endpoint Collection Capabilities

This table describes the scope of the Myrmex Endpoint in event collection, enabling detailed analysis and proactive detection of cyber threats.
CategoryDescriptionExamples of Collected Data
Process and Thread EventsDetailed monitoring of process and thread creation, termination, and interaction, including their hierarchies.* Process hierarchy
* Associated parameters and calls
* Malicious scripts
Syscalls and System CallsCollection of operating system calls to identify low-level interactions and potential API abuses.* File accesses
* Permission changes
* Network calls
Network and Communication EventsRecording connections and traffic patterns to identify malicious activities, such as connections to C&C servers.* TCP/UDP connections
* DNS resolutions
* Detection of abnormal traffic patterns
Security and Audit LogsCollection of administrative logs and observation of changes in critical system configurations.* Accesses/authentications
* Modifications in critical configurations
File and File System MonitoringRecording operations on files and directories, including changes to system binaries and libraries.* Accesses, deletions, and modifications
* Changes in system libraries

Real-Time Analysis and Protection

While events are captured and processed, Myrmex Endpoint Security uses internal security engines to identify and respond to malicious behaviors. This is done in real-time, ensuring continuous protection, even in disconnected environments.

Local Threat Detection

  • Behavioral analysis to identify patterns associated with ransomware, trojans, cryptocurrency miners, and spyware.
  • Identification of persistence techniques, such as:
  • Modifications to startup files.
  • Abuse of trusted processes.

Proactive Blocking

  • Quarantining suspicious files.
  • Isolating processes demonstrating anomalous behavior.

Device Restrictions

  • Control of connected USB devices:
  • Blocking unauthorized access.
  • Monitoring data transfer.