Sandfly 5.0 - Agentless Drift Detection, New UI, and Wider Linux Coverage

Introducing Sandfly 5.0: Now with powerful agentless drift detection for Linux.


Sandfly 5.0 is a major step in our vision to go beyond traditional Endpoint Detection and Response (EDR) and into a multi-layered Linux defense platform. We have moved well beyond passive detection and have extensive active threat hunting and proactive capabilities to protect all Linux systems.


Sandfly 5.0 features many upgrades, including just some of the ones below:

  • Agentless Drift Detection

  • New User Interface

  • Wider Linux Device Coverage

  • Whitelist Profiles

  • Simplified Deployment

  • Expanded and Improved Container Visibility

  • Parent Process Detection Rules


The combination of traditional threat signatures, along with agentless drift detection, makes it extremely difficult for attackers to exist and hide on Linux systems watched by Sandfly.


Agentless Drift Detection


Unauthorized changes to Linux systems are significant threats. To date, most change detection for Linux has focused on File Integrity Monitoring (FIM). While this can be effective, it often cannot find many threats such as fileless malware, new kernel modules, changes to users, persistence attacks, and much more.


Sandfly is introducing a new way to combat threats on Linux by allowing customers to deploy drift detection on any Linux system we monitor. Sandfly allows you to track all major components of Linux that are frequently targeted for attack well beyond simple file alterations. For example:

  • Any new process binary that has been started whether on the disk or fileless.

  • Any new users, changes to users, new SSH keys, changes to login shells, etc.

  • Any new scheduled tasks appearing in cron, at, or systemd.

  • Any new kernel modules loaded or kernel taint changes.

  • Any user logins never seen before.

  • Any changes to system directories, or any custom directory you choose (traditional FIM).


Sandfly can apply drift detection to systems that are a decade+ old all the way to modern deployments instantly. Not just this, but we can also do drift detection against the most notoriously difficult to monitor systems on the planet: Linux embedded devices and appliances.


Drift Detection Suspicious Crontab Entry on Linux


Any server or device can have drift profiles created and any changes to those systems immediately spotted. Stealthy and other malicious activity is instantly detected.


Use Cases

Sandfly can monitor embedded Linux devices like Ubiquiti routers.


There are many use cases for agentless drift detection:

  • Profile edge devices - You'll know immediately if your WiFi routers, VPN systems, Network Attached Storage (NAS), and other critical infrastructure changes.

  • Proprietary hardware - Track embedded controllers and specialized systems like robotics that should never change.

  • Legacy systems - Any changes to systems that cannot be updated are flagged, even if they are a decade+ old.

  • Known-good Virtual Machine (VM) instances - Any systems in a deployed VM pool that change will alert.

  • Linux containers - Any changes to a container running on a host will register as a drift.

  • Incident response - Profile a known-good system and use that profile to scan other systems for differences. Systems that have changes can be focused on for investigation so IR teams aren't wasting time.


Sandfly's agentless drift detection can spot any change to any system, whether it's in the cloud, on-premises, an embedded device, or a legacy server. Unknown malware and malicious activity will stand out immediately with Sandfly's drift detection watching the host.


New User Interface

Sandfly has the widest Linux security coverage.


We have completely overhauled the user interface. It features new visualizations and is completely mobile and tablet compatible. Many new features have been added to make browsing and accessing alerts easier:

  • Quickly check for new alerts from a phone or tablet.

  • New result organization allows drilling down from a host to the sandfly alerts or by sandfly alert to the hosts affected.

  • Improved filters and views allow for faster searches.

  • Custom views for each user.

  • Many usability improvements for scheduling, IP address sorting, filtering, plus powerful data table capabilities.


Widest Linux Coverage


Sandfly now works on a much wider range of devices (and especially embedded systems) than ever. We have expanded coverage even onto devices from Synology, Ubiquiti, plus many more. You'd be surprised what Linux systems we can protect instantly.


Not only is Linux device coverage wider than any other product on the market, but it's also faster than all previous versions of Sandfly which were already fast.


Any hosts that Sandfly can monitor gets 100% of our feature coverage. This includes our powerful new drift detection, plus our SSH Hunter, weak password auditing, and our extensive Linux threat hunting modules.


We strongly encourage customers to check their appliances and edge devices for signs of compromise as it is becoming increasingly common for these systems to be attacked.


Whitelist Profiles

Building a result whitelist profile.


Sandfly now allows you to scan a system and triage any false alarms instantly by bundling them into a whitelist profile. Once the profile is created, you can then apply it to any similarly tagged system and instantly have those alerts whitelisted without needing to mark and ignore each alert. Result profiles allow security teams to quickly setup and tune Sandfly to their unique environment.


Simplified Deployment and Faster Scanning Speed

We have re-written the scanning node to eliminate the need for RabbitMQ. This removes a major component, simplifying the architecture and resulting in easier deployment plus higher performance.


Scanning nodes are now noticeably faster and use less resources. As a bonus, eliminating RabbitMQ reduces attack surface and potential security risks. 


Expanded Container Coverage

Sandfly has expanded our ability to scan inside running containers along with inspecting filesystem layers they are using. Results will now clearly show if a process has been spotted inside a container vs. the host operating system. We have also expanded our container runtime awareness with additional Kubernetes support, rootless Podman, and additional container filesystem drivers.


Sandfly can watch your containers, and the host operating system they run on, simultaneously to protect against container escapes and other serious risks.


Parent Process Detection

We have added new process forensic engine attributes that allow you to inspect a parent process as part of a rule. For Sandfly 5.0 we now include these new bindshell backdoor checks that leverage the parent to spot new threats:

  • process_backdoor_bindshell_network_enabled_parent_not_ssh - Looks for network shells that are spawned from network enabled processes that are not SSH.

  • process_backdoor_bindshell_network_enabled_parent_www_user - Looks for network shells that are spawned from a network enabled process with a common www server username (e.g. apache, nginx, php).

  • process_backdoor_bindshell_parent_deleted - Looks for shells that are spawned from a network process binary that has been deleted from the disk.

  • process_backdoor_bindshell_parent_not_ssh - Looks for shells that are spawned from network enabled processes that are not SSH.

  • process_backdoor_bindshell_parent_running_from_dev_dir - Looks for shells that are spawned from a network process located in system /dev or /dev/shm ramdisk directories.

  • process_backdoor_bindshell_parent_running_from_tmp_dir -Looks for shells that are spawned from a network process located in system temp directories.

  • process_backdoor_bindshell_parent_socket_utility -Looks for shells that are spawned from network socket utilities like netcat or socat.


The ability to write rules against parent processes allows for many powerful new detection signatures. We'll be expanding these detections as we move forward, but as always you can clone our modules and write custom threat hunting sandflies taking advantage of this new capability today.


Get a Free License Today

All Sandfly users get access to the 5.0 upgrades. Get you free license today:

Get Sandfly


Upgrading Sandfly

Sandfly 5.0 is a major new release with powerful new features. All customers are encouraged to upgrade. We are here to help with any questions. Please be sure to see our documentation on the new features and capabilities:

Sandfly Documentation


Customers wishing to upgrade can follow the instructions here:

Upgrading Sandfly


If you have any questions, please reach out to us.


Thank you for using Sandfly.