Indicator Blocking - veramine/Detections GitHub Wiki
An adversary may attempt to block indicators or events from leaving the host machine. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process or creating a host-based firewall rule to block traffic to a specific server. You reach read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1054.
The Veramine sensor resists attacker attempts to stop the driver or service. That resistance mechanism is described at Disabling-Security-Tools. If the sensor is unable to connect over the network to the server, it will queue events locally and send all events as soon as connectivity is restored. If the sensor is permanently blocked from making outbound connections to the Veramine server due to a host-based firewall rule or other network layer mechanism, the Veramine administrator may need to take action to resolve the issue. The Veramine portal "Hosts" view can be sorted by the "Last Contact" time to highlight any systems where the sensor is installed but has not recently sent any events.
