What is a Forwarder?

Stairwell Forwarder Overview

The forwarder is a piece of proprietary software specifically engineered to be extremely lightweight with virtually no impact on the host system. It is used to monitor file-related activity and upload newly discovered unique files. Following the installation, a breach assessment (also referred to as a "back scan") is conducted. The breach assessment searches and uploads all existing executables, libraries and scripts on the applicable physical drives, which can take approximately ~2 hours to process. After the original back scan, the forwarder will continue to monitor the asset for new executable file activity such as spawning child processes, writing to disk, unpacking file contents, moving files, and deletion.

What this provides is a comprehensive system-wide view of every executable and executable-like file on every endpoint the forwarder is deployed on from the present moment back to day one. The forwarder affords the ability to:

  • Retro-hunt across the entire org in fractions of a second.
  • Having all Threat Report indicators and Yara rules run across every file the moment it is ingested.
  • Fully preserved timelines for all file system activity beyond log retention limitations.

What the Forwarder is NOT

The forwarder is a singular piece of software that is meant to do one thing and nothing else: collect new never before seen executable files. The forwarder does not prevent or interrupt any process or action from executing which makes it highly suitable for OT and appliances where a typical EDR would be unthinkable. It is not a replacement for EDR/XDR and works well side-by-side with the top vendors. The forwarder communicates directly with the Stairwell platform (or by proxy) and does not require a collection or staging server to be deployed. Most of all, the Forwarder is specifically engineered to be as efficient and stealthy as possible by typically using a fraction of a percent of a single core.

Stairwell forwarder highlights

  • Full executable visibility across installed assets.
  • Real-time running to expedite detection and forwarding of files and metadata.
  • Full contextual information across assets such as file paths and asset names
  • Dynamic inclusion/exclusion select for executable file types via policies.
  • Kernel space function ensure more transparency (instead of singular user).
  • Data encryption in transit via Transport Layer Security (TLS) based on the highest level supported.
  • Data compression bypassed to ensure file integrity for DFIR.
  • Managed and maintained by Stairwell Platform UI.