Kernel network monitoring for an endpoint security sensor
An endpoint-security company needed kernel network visibility for a sensor deployed across enterprise endpoint fleets. Joya Systems built the Windows networking framework that delivered connections, packet data, TCP stream reassembly, DNS correlation support, and VPN coexistence.
Platforms
- Windows client systems
- Windows Server systems
Services
- Windows network driver development
- TCP stream reassembly
- Endpoint sensor integration
The challenge
The sensor needed useful network context without creating deployment friction. It had to report TCP and UDP activity, handle raw IPv4 and IPv6 packets, survive common VPN clients, and install without requiring a reboot. The catch was that all of it had to run on customer machines the vendor did not control — every unexpected VPN, proxy, or legacy Windows build was a chance to break the endpoint instead of monitor it.
What we built
We built kernel networking plumbing to feed user-mode analytics with TCP and UDP connection events, raw packet data, and headerless TCP stream reassembly. The data model supported DNS response to request correlation and extraction of destinations behind HTTP proxies.
VPN coexistence was treated as a first-class requirement. The implementation was tested against several enterprise and consumer VPN clients because endpoint security software has to operate on machines it does not fully control.
The supported operating system range included older client and server versions still common in enterprise fleets at the time. That meant careful conditional behavior instead of assuming one modern Windows network stack.
Project outcome
- Added network visibility to an EDR sensor that installs with no reboot — connection logging, raw IPv4/IPv6 packets, and headerless TCP stream reassembly.
- Held up against several enterprise and consumer VPN clients and across older client and server Windows versions still in enterprise fleets.
- Supported DNS request/response correlation and destination extraction behind HTTP proxies, so analytics saw connections in context.
Technical takeaway
EDR network telemetry has to be boring in production. The hard part is not capturing a packet once, it is doing it across old OS versions, VPNs, and customer machines without breaking the endpoint.
Working on something similar?
If your team is building in this area — a driver, kernel module, packet path, file system filter, security sensor, or certification plan — start with a technical conversation, not a sales call. Contact Joya Systems and describe the product, platform, and current state of the code.
Related consulting work
Related case studies
- Windows WFP driver for packet policy and traffic collection
- Multi-platform zero-trust client networking
Frequently asked questions
Can a Windows network monitoring driver install without a reboot?
Yes, and for an endpoint security product it usually has to. We built the network framework so it could be deployed without forcing a reboot, which removes a major source of rollout friction across a managed fleet.
How do you keep an EDR network sensor working across VPNs and older Windows versions?
By treating VPN coexistence as a first-class requirement and testing against several enterprise and consumer VPN clients, and by writing conditional behavior for older client and server Windows network stacks rather than assuming one modern stack. The sensor runs on machines it does not fully control, so it has to be defensive.
Case Studies
What our customers say about us?
Read our customer testimonials to find out why our clients keep returning for their projects.
View Testimonials