Skip to main content
The Endpoint Detection and Response add-on is required to use this Library Item.

About EDR Library Item Configuration

The EDR Library Item is the core component of Iru Endpoint EDR, providing comprehensive threat detection and response capabilities. This Library Item can be configured with various posture modes, behavioral detection settings, user alerts, and custom allow/block lists to meet your organization’s security requirements.

How It Works

EDR Library Item configuration allows you to customize EDR behavior through multiple settings. You can configure posture modes for malware and PUP detection, enable behavioral detection capabilities, set up user notifications, and create custom allow/block lists. These settings determine how EDR responds to threats and provides visibility into security events across your managed devices.

Adding an EDR Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give the new EDR Library Item a Name.
2

Assign to Blueprints

Assign to your desired Blueprints.
EDR Library Item configuration interface showing settings or Blueprint assignment

Configuring File detections Settings

Configure the individual Malware and PUP posture mode preferences for your environment. The Detect mode will scan and report known malicious items. The Protect mode will scan, report and automatically quarantine known malicious items.
1

Configure Malware Posture

Specify the desired posture setting for Malware.
2

Configure PUP Posture

Specify the desired posture setting for PUP.
3

Configure Notification Settings

If either Malware or PUP posture is set to Protect, a Send user alerts toggle will be available to enable or disable user notifications.
You can click Expand preview to see a sample of the user notifications.
File detection settings for Malware and PUP posture modes

Configuring Behavioral detections

Behavioral detections are turned on by default when creating and adding a new EDR Library Item to your Library, but can be turned off to suit certain workflows.
Suspicious behavioral detections are automatically listed in the Threats table with an informational status to highlight unusual activities that may warrant attention. These detections are designed to provide visibility and cannot have their posture mode configured.
1

Enable Behavioral Detections

Toggle the switch to enable Behavioral detections.
2

Configure Malicious Behavior Posture

Under Malicious behavior posture, select either Detect or Protect.
  • Detect mode identifies and reports malicious behavioral detections
  • Protect mode identifies, reports, and blocks malicious behavioral detections
3

Configure Notification Settings

If Malicious behavior posture is set to Protect, a Send user alerts toggle will be available to enable or disable user notifications.
You can click Expand preview to see a sample of the user notifications.
Behavioral detection settings with Malicious behavior posture options

Self Service Security events

End users can view a list of quarantined files and blocked processes on their Mac computers by opening Self Service and clicking on Security events from the left-hand navigation menu.
Configure the EDR Library Item step or screen

Configuring Allow and Block Lists

Allow and Block lists can be used to ensure that specific files or applications are always allowed or blocked in your environment regardless of whether or not a file or application is known to be malicious in Iru Endpoint EDR’s threat feeds.
Block items are considered Malware and require the Malware posture to be in Protect mode to be blocked on the device.
1

Add New Item

Click the + Add item button.
Allow and Block list configuration interface
2

Configure Item Details

Give the item a Name.
3

Set Item Action

Select Allow to allow a file or application. Select Block to block the file or application.
4

Select Item Type

Specify the item type Hash or Path for the file or application.
5

Enter Item Information

If Path was selected, enter the application or file path. If Hash was selected, enter the file hash.
6

Add Item to List

Click Add to add the item to the Allow and Block list.Optionally, toggle Add another item in the lower-left corner to continue adding items.
Add item dialog for Allow or Block list
7

Save Configuration

Click the Save button in the lower right corner to save the EDR Library Item.

Determine Hash Value

The Hash item type is only supported for files. The Path item type is supported for both files and applications.
The following command can be used in Terminal to determine the SHA256 hash value of a file. 
shasum -a 256 /path/to/file

Viewing Edit History in the EDR Library Item

You can audit changes to the EDR Library Item in the Activity tab of the Library Item or the Global Activity section of the Iru Endpoint Web App. This will show what configurations were changed, what the previous state was, and who made the change.
1

Access Activity Log

Click Activity in your EDR Library item or the Activity icon in the top right navigation bar.
2

Review Changes

Select the disclosure triangle next to Library Item Edited for the entry you’d like to review.
Activity tab showing Library Item edit history

Considerations

  • Posture Mode Selection: Choose between Detect and Protect modes based on your security requirements. Detect mode provides visibility without blocking, while Protect mode actively prevents threats.
  • Behavioral Detection Configuration: Enable behavioral detections for comprehensive threat monitoring, but consider the impact on system performance and false positive rates
  • User Alert Management: Configure user alerts to balance security awareness with user experience, ensuring users understand when and why files are quarantined
  • Allow and Block List Management: Maintain accurate allow/block lists to prevent legitimate applications from being blocked while ensuring malicious software is properly identified
  • Hash vs. Path Configuration: Use hash-based entries for specific file versions and path-based entries for applications that may update frequently
  • Regular Review: Periodically review and audit your EDR Library Item configuration to ensure it aligns with current security policies and threat landscape
  • Testing and Validation: Test configuration changes in a controlled environment before deploying to production to avoid disrupting legitimate workflows
  • Documentation: Keep detailed records of configuration changes and their rationale for compliance and troubleshooting purposes
  • Performance Impact: Monitor system performance after configuration changes to ensure EDR doesn’t significantly impact device performance
  • Integration Planning: Consider how EDR Library Item settings integrate with other security tools and workflows in your environment
  • Response Capabilities: EDR provides response actions beyond posture mode settings, including device isolation for quarantining compromised devices from the network.

Next Steps

Please see the Endpoint Detection and Response - Testing Malware Detection support article to see EDR in action.