The sensor could be configured to run in detection-only mode, to limit its ability to terminate processes.
Note: configuring the sensor to run in detection-only mode requires the system administrator to terminate malicious processes manually in case of an attack.
Requirements
The minimum sensor version is 0.3.3. In case you are configuring an already installed sensor, verify the sensor version in the assets page in Intezer Protect console.
Instructions
After sensor installation, edit the file /etc/intezer/config.yml (requires sudo privileges).
Add the following line to the end of the file:
disable_kill_process: true
Restart the sensor by running:
- systemd:
sudo systemctl restart intezer-protect
- Upstart:
sudo initctl restart intezer-protect
- SystemV Init:
sudo service intezer-protect restart