Get the PDF

Policy JSON view

The JSON view displays the policy as a JSON file. This is the same format used for the Policy API.

user_id

Your unique console ID. To get your user ID, do one of the following:

Use the

Cylance

API (Get Users)

In the console, go to User Management, view your user details, your user ID is at the end of the URL

checksum

Use an empty value. This is required when creating a policy.

device_control

Device control allows or blocks access to USB mass storage devices.

Item	Description
control_mode	Block blocks the USB device from connecting to the endpoint FullAccess allows the USB device to connect to the endpoint
device_class	All device_class entries must be included in the request. AndroidUSB is a portable device running Android OS, like a smartphone or tablet An Android device could connect and be identified as Android, Still Image, or Windows Portable Device. If you want to block Android devices, consider blocking Still Image and Windows Portable Device as well. iOS is an Apple portable device running iOS, like an iPhone or iPad iOS devices will not charge when Device Control is enabled and set to Block, unless the Apple device is powered off. Apple includes their charging capability within functions of the device that are required for our iOS device blocking capability. Non-Apple devices do not bundle their charging capability in this manner and are not impacted. StillImage is the device class containing scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers USBCDDVDRW is a USB optical drive USBDrive is a USB hard drive or USB flash drive VMWareMount is the VMware USB Passthrough, which allows a VMware virtual machine client to access USB devices connected to the host WPD is a Windows Portable Device, which uses the Microsoft Windows Portable Device driver technology, such as mobile phones, digital cameras, and portable media players
exclusion_list	The device control exclusion list that allows or blocks access to specific USB mass storage devices comment adds detail about the exclusion; this information is optional control_mode allows or blocks the specific USB mass storage device Block blocks the USB mass storage device from connecting to the endpoint FullAccess allows the USB mass storage device to connect to the endpoint product_id is the product identifier for the USB mass storage device; this information is optional serial_number is the serial number for the USB mass storage device; this information is optional vendor_id is the vendor identifier for the USB mass storage device; this information is optional One way to find the Vendor ID for a USB mass storage device is to enable device control in a policy, assign that policy to an device, then attach the USB mass storage device to the device. You can view external device logs in the Cylance console, on the Protection page or the Device Details page (External Devices tab).
Example	"exclusion_list": [ { "vendor_id": "1234", "comment": "Test device control exclusion", "serial_number": "987654321", "product_id": "5678:, "control_mode": "FullAccess" } ]

file_exclusions

Adds file exclusions to the Policy Safe List, under File Actions. The policy safe list are file exclusions specific to the policy, and any devices assigned to the policy will allow the excluded files to run.

Item	Description
category_id	A list of categories to identify the type of file; this information is optional 1 - None 2 - AdminTool 3 - InternalApplication 4 - CommercialSoftware 5 - OperatingSystem 6 - Drivers 7 - SecuritySoftware
file_hash	The SHA256 hash for the file; this information is optional
file_name	The name of the file being excluded; this information is optional
md5	The MD5 hash for the file; this information is optional
reason	The reason the file was excluded; this information is optional
Example	"file_exclusions": [ { "reason": "Test Exclusion", "category_id": "2", "md5": "d41d8cd98f00b204e9800998ecf8427e", "file_hash": "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52", "file_name": "filename" } ]

filetype_action

The auto-quarantine of unsafe (threat_files_) and abnormal (suspicious_files)

Item	Description
actions	Allows setting auto-quarantine and auto-upload to enabled or disabled 0 - Auto-quarantine OFF, auto-upload OFF 1 - Auto-quarantine ON, auto-upload OFF 2 - Auto-quarantine OFF, auto-upload OFF Use 2 for suspicious_files when threat_files is set to 3 and auto-quarantine for suspicious_files is disabled. 3 - Auto-quarantine ON, auto-upload ON
file_type	Only has "executable" as an option
suspicious_files	These are abnormal files
threat_files	These are unsafe files

logpolicy

The agent log file settings.

Item	Description
log_upload	null - Disabled 1 - Enabled
maxlogsize	The maximum file size (in MB) for a single agent log file
retentiondays	The number of days to save agent log files; log files older than the set number of days will be deleted

memoryviolation_actions

The violation types for memory protection.

All memory_violations and memory_violations_ext must be included in the request.

Item	Description
Action	None means no action is taken when a memory violation is triggered Alert means an alert will display in the console but no action is taken on the memory violation Block means the memory violation is blocked and an alert will display in the console; the process that triggered the memory violation is not terminated Terminate means the memory violation is blocked, the process that triggered the memory violation is terminated, and an alert will display in the console
memory_violations	lsassread (LSASS Read) - The memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords. outofprocessallocation (Remote Allocation of Memory) - A process has allocated memory in another process. Most allocations will only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system. outofprocesscreatethread (Remote Thread Creation) - A process has created a new thread in another process. A process’s threads are usually only created by that same process. This is generally used by an attacker to activate a malicious presence that has been injected into another process. outofprocessmap (Remote Mapping of Memory) - A process has introduced code and/or data into another process. This may indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence. outofprocessoverwritecode (Remote Overwrite Code) - A process has modified executable memory in another process. Under normal conditions, executable memory will not be modified, especially by another process. This usually indicates an attempt to divert execution in another process. outofprocessunmapmemory (Remote Unmap of Memory) - A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution. outofprocesswrite (Remote Write to Memory) - A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation), but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose. outofprocesswritepe (Remote Write PE to Memory) - A process has modified memory in another process to contain an executable image. Generally, this indicates that an attacker is attempting to execute code without first writing that code to disk. overwritecode (Overwrite Code) - The code residing in a process’s memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP). stackpivot (Stack Pivot) - The stack for a thread has been replaced with a different stack. Generally, the system will only allocate a single stack for a thread. An attacker would use a different stack to control execution in a way that is not blocked by Data Execution Prevention (DEP). stackprotect (Stack Protect) - The memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt which would otherwise be blocked by Data Execution Prevention (DEP).
memory_violations_ext	dyldinjection (DYLD Injection) - An environment variable has been set that will cause a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts, causing their modules to be loaded automatically when an application starts. maliciouspayload (Malicious Payload) - A generic shellcode and payload detection associated with exploitation has been detected. trackdataread (RAM Scraping) - A process is trying to read valid magnetic stripe track data from another process. Typically related to point of sale systems (POS). zeroallocate (Zero Allocate) - A null page has been allocated. The memory region is typically reserved, but in certain circumstances, it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel.
memory_exclusion_list	These are the executable files to exclude from memory protection. This must be a relative path to the excluded executable file.
Example	"memory_exclusion_list": [ "\\temp" ]

policy

Various policy settings are contained within this section. Some policy settings are enabled under the policy section and configured in a different section, like device_control and logpolicy.

Item	Description
auto_blocking	Enables or disables the Auto Quarantine setting for Unsafe and Abnormal files. 0 - Disabled 1 - Enabled filetype_actions must also be set for unsafe (threat_files) and abnormal (suspicious_files) files.
auto_delete	Setting to automatically delete quarantined files after a set number of days. 0 - Disabled 1 - Enabled If this feature is enabled, set days_until_deleted for the number of days to retain a quarantined file.
auto_uploading	Setting to automatically upload files that Cylance has not seen before. Cylance will perform an analysis on the file and provide details to assist in manual analysis and triage. 0 - Disabled 1 - Enabled filetype_actions must also be set for unsafe (threat_files) and abnormal (suspicious_files) files for Auto-Upload.
autoit_auto_uploading	The value is 0.
custom_thumbprint	The vaule is null.
days_until_deleted	Setting for the number of days to retain a quarantined file. Quarantined files older than the set number of days will be automatically deleted. The minimum number of days is 14 The maximum number of days is 365. To use the days_until_deleted feature, the auto_delete setting must be enabled.
device_control	Setting to enable or disable the device control feature.
docx_auto_uploading	The value is 0.
full_disc_scan	Setting to have Cylance analyze all executable files on disk to detect any dormant threats. This is the Background Threat Detection (BTD) setting. 0 - Disabled 1 - Run recurring (performs a scan every nine days) 2 - Run once (runs a full disk scan upon installation only)
kill_running_threats	Setting to kill processes and sub-processes regardless of the state when a threat is detected (exe or dll).
logpolicy	The value is 0.
low_confidence_threshold	Setting to adjust the score threshold between unsafe and abnormal files. The default is -600. A score of -600 to -1000 is unsafe. A score of 0 to -599 is abnormal. A score greater than 0 is safe.
memory_exploit_detection	Setting to enable or disable the memory protection feature. 0 - Disabled 1 - Enabled Also set the memoryviolation_actions (memory_violations, memory_violations_ext, and memory_exclusion_list).
ole_auto_uploading	The value is 0.
optics	Setting to enable or disable CylanceOPTICS . 0 - Disabled 1 - Enabled Also set the other CylanceOPTICS settings (optics_).
optics_application_control_auto_upload	Setting to allow the automatic uploading of application control related to focus data. 0 - Disabled 1 - Enabled
optics_malware_auto_upload	Setting to allow the automatic uploading of threat related focus data. 0 - Disabled 1 - Enabled
optics_memory_defense_auto_upload	Setting to allow the automatic uploading of memory protection related focus data. 0 - Disabled 1 - Enabled
optics_script_control_auto_upload	Setting to allow the automatic uploading of script control related focus data. 0 - Disabled 1 - Enabled
optics_sensors_advanced_executable_parsing	Setting to enable recording data fields associated with portable executable (PE) files, such as file version, import functions, and packer types. This is Enhanced Portable Executable Parsing in the policy settings. 0 - Disabled 1 - Enabled
optics_sensors_advanced_powershell_visibility	Setting to enable recording commands, arguments, scripts, and content entered directly into the Powershell console and the Powershell Integrated Script Environment (ISE). 0 - Disabled 1 - Enabled
optics_sensors_advanced_wmi_visibility	Setting to enable recording additional Windows Management Instrumentation (WMI) attributes and parameters. 0 - Disabled 1 - Enabled
optics_sensors_dns_visibility	Setting to enable recording commands and arguments of commands issued directly or indirectly to the Windows Management Instrumentation (WMI) interpreter. 0 - Disabled 1 - Enabled
optics_sensors_enhanced_process_hooking_visibility	Setting to enable recording process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection. 0 - Disabled 1 - Enabled
optics_sensors_private_network_address_visibility	Setting to enable recording network connections within the RFC 1918 and RFC 3419 address spaces. 0 - Disabled 1 - Enabled
optics_sensors_windows_event_log_visibility	Setting to enable recording Windows Security Events and their associated attributes. 0 - Disabled 1 - Enabled
optics_sensors_intel_cryptomining_detection	Setting to enable recording CPU activity using hardware registers for potential cryptomining and cryptojacking activites. 0 - Disabled 1 - Enabled
optics_set_disk_usage_maximum_fixed	Setting the maximum amount of device storage reserved for use by CylanceOPTICS , in MB. The minimum value is 500 and the maximum value is 1000.
optics_show_notifications	Setting to enable or disable desktop notifications on the device for CylanceOPTICS events. 0 - Disabled 1 - Enabled
pdf_auto_uploading	The value is 0.
powershell_auto_uploading	The value is 0.
prevent_service_shutdown	Setting that protects the Cylance service from being shutdown, either manually or by another process. 0 - Disabled 1 - Enabled
python_auto_uploading	The value is 0.
sample_copy_path	Setting to copy all file samples to a network share (CIFS/SMB). Example { "name": "sample_copy_path", "value": "\\\\server_name\\shared_folder" }
scan_exception_list	Setting to exclude specific folders and subfolders from being scanned by full_disc_scan and watch_for_new_files. Set the value to the absolute path for the excluded files. Example { "name": "scan_exception_list", "value": [ "c:\\temp" ] }
scan_max_archive_size	Setting for the maximum archive file size (in MB) to be scanned. The value can be 0 to 150. If set to 0, then archive files will not be scanned.
script_control	Setting to enable or disable the script control feature. 0 - Disabled 1 - Enabled
show_notifications	Setting to enable or disable desktop notifications on the device for CylancePROTECT Desktop events. 0 - Disabled 1 - Enabled
threat_report_limit	The number of threats to upload to the console.
trust_files_in_scan_exception_list	Setting to allow execution of files in the excluded folders. This is related to the scan_exception_list. 0 - Disabled 1 - Enabled
watch_for_new_files	Setting to analyze new or modified executable files for threats. 0 - Disabled 1 - Enabled

policy_name

This is the name of the policy. The name must be unique in your tenant.

script_control

These are the policy settings for script control.

script_control must be enabled (set to 1) under policy.

Item	Description
activescript_settings	control_mode - These are the settings for active script. Alert - An alert is sent when an active script event occurs. The active script is allowed to run. Block - The active script is blocked and an alert is sent.
global_settings	allowed_folders - The relative path to scripts that are allowed to run when script control is enabled. Example: "allowed_folders": [ "\\temp_scriptcontrol" ] control_mode - Setting to enable or disable script control for agent version 1370 or lower. To use script control with macros, use agent version 1380 or later. Allow - An alert is sent when an active script or Powershell event occurs. The script is allowed to run. Block - The active script or Powershell is blocked and an alert is sent.
macro_settings	control_mode - Settings for Microsoft Office macros. Alert - An alert is sent when an Office macro event occurs. The macro is allowed to run. Block - The Office macro is blocked and an alert is sent.
powershell_settings	console_mode - The Powershell console is blocked to prevent Powershell command usage, including one-liners. To use this feature, the Powershell control_mode must be set to block. control_mode Alert - An alert is sent when a Powershell script event occurs. The Powershell script is allowed to run. Block - The Powershell script is blocked and an alert is sent.

About disabling script control

For agent version 1430 and later, you can disable script control for active script, Powershell, or macros. Disable script control allows the selected script type to run and does not send an alert to the console.

To disable script control for a specific script type, do not include the script type in the Create Policy API request.

Example
: Script control for macros is disabled

"script_control": {
  "powershell_settings: {
    "control_mode": "Block",
    "console_mode": "Block"
  },
  "global_settings": {
    "control_mode": "Alert",
    "allowed_folders: [
      "\\temp_scriptcontrol"
    ]
  },
  "activescript_settings: {
    "control_mode": "Alert"
  }
}

Section:

Policy summary