EDR Agent Portal
Monitor all endpoints, view event telemetry, run forensics, and quarantine compromised hosts.
Route:
/edr/agentsHow the EDR works
OverviewHow the EDR Works
GuardFoxCopilot's EDR consists of two parts: a lightweight agent running on each endpoint, and the Agent Portal in the web UI.
What the agent collects
| Category | What's captured |
|---|---|
| ETW | Process creation, injection, hollow shell detection via Windows ETW providers |
| FileSystem | Mass file rename (ransomware), new executables in temp paths |
| VSS | Shadow copy deletion attempts — blocked and alerted |
| PowerShell | Script block logging — captures all commands including obfuscated ones |
| YARA | In-memory scan of suspicious processes against 50+ signatures |
| Win Events | Advanced Windows Event Log analysis (4624, 4688, 4698…) |
| Network | Outbound connections, DNS queries, C2 interval detection |
Agent communication
- Agent sends heartbeat to
/api/edr/heartbeatevery 30 seconds - Events stream to
/api/edr/eventsin batches of 50 - Commands (quarantine, scan, collect) are polled from
/api/edr/commands - Tamper protection: the agent service cannot be stopped without the admin passphrase
Quarantining an endpoint
How to useQuarantining an Endpoint
Quarantine isolates a compromised endpoint from the network using local firewall rules, while keeping the agent connection alive so you can still collect forensics.
How to quarantine
- Open EDR → Agent Portal
- Click any agent to open the detail drawer
- Click Quarantine in the top-right
- Confirm the action — a note is added to the audit log
What quarantine does
- Adds iptables (Linux) or Windows Firewall rules blocking all inbound/outbound traffic
- Exception: keeps ports 443 to the GuardFoxCopilot server open so the agent remains connected
- The agent status changes to QUARANTINED (red pulsing dot)
Releasing quarantine
Click Release in the same location. The firewall rules are removed and normal connectivity resumes.
⚠️ Always collect a memory image via the Forensics tab before releasing a quarantined endpoint.
Remote forensics collection
How to useRemote Forensics Collection
From the Agent detail drawer → Forensics tab, you can launch collection tasks without touching the endpoint.
Available tasks
| Task | What it collects | Typical size |
|---|---|---|
| Process Memory Dump | Memory of specified process | 50–500 MB |
| Artifact Collection | Event logs, prefetch, MFT, shellbags | 20–100 MB |
| Full Memory Image | Complete RAM capture | 4–32 GB |
| File System Timeline | MAC times across all drives | 10–50 MB |
| Prefetch / MFT Analysis | Execution history, file records | 5–20 MB |
Running a collection
- Open the agent drawer → Forensics tab
- Click the task you want to run
- Status changes to Running with a live progress indicator
- When Complete, click Download to retrieve the artifact
Notes
- Full Memory Image requires the agent to have local admin rights
- Collections run in the background — you can navigate away and return
- Results are stored on the GuardFoxCopilot server for 7 days then auto-deleted