Lock a device
You can lock an infected or potentially infected device to stop command and control activity, the exfiltration of data, and the lateral movement of malware. You have the following lockdown options:
Lockdown type | Description |
---|---|
Full lockdown (all platforms) | Prevent all network communication from the device. You can lock a device for up to 96 hours. You can use an unlock key to unlock the device before the end of the lockdown period. |
Partial lockdown ( CylanceOPTICS agent 3.1 or later for Windows only) | Disable the device's LAN and Wi-Fi network capabilities and retain communication with the CylanceOPTICS cloud services, allowing CylanceOPTICS to continue to receive detections and sensor data. Partial lockdown persists indefinitely. You can unlock the device at any time using an unlock key or the remote unlock feature. |
Customized partial lockdown ( CylanceOPTICS agent 3.2.1140 or later for Windows only) | This option is the same as partial lockdown but also allows you to specify additional communication channels that you want to allow during a partial lockdown. |
- For the requirements to support the lockdown feature forLinux, see the CylanceOPTICS requirements.
- If you want to use a customized partial lockdown, on the menu bar, clickSettings > Detection and Response > Add New Configuration. Specify a name, description, and the IP address, port, and operations (inbound, outbound, bidirectional) for the communication channels that you want to allow during partial lockdown. ClickSave.
- In the management console, on the menu bar, clickCylanceOPTICS > Devices.
- Click the device name.
- Do one of the following:TaskStepsFully lock a device (all platforms)
- In theSelect Actiondrop-down list, clickLockdown.
- If it is aWindowsdevice, in the drop-down list, clickFull lockdown.
- Select a lockdown period.
- ClickConfirm Lockdown.
Partially lock a device (CylanceOPTICSagent 3.1 or later forWindowsonly)- In theSelect Actiondrop-down list, clickLockdown.
- In the drop-down list, do one of the following:
- To use the default partial lockdown configuration, clickPartial lockdown.
- To use one of your custom partial lockdown configurations, click the configuration.
- If you want to allow remote response sessions to the device while it is in a partial lockdown state, turn onRemote Response.
- ClickConfirm Lockdown.
To remotely unlock the device, click the device and in theSelect Actiondrop-down list, clickUnlock device. Confirm the remote unlock. - If you want to manually unlock a fully or partially locked device, clickActions > Show Unlock Key. Copy the unique unlock key and run the following commands on the device:OSCommandsWindows
- Navigate to theCylanceOPTICSexecutable folder (by default, C:\Program Files\Cylance\Optics).
- RunCyOptics.exe control --password "<unlock_key>" unlock -a
macOS- Runcd /Library/Application\ Support/Cylance/Optics/CyOptics.app/Contents/Resources
- Runsudo ../MacOS/CyOptics control --password<unlock_key>unlock -net
LinuxRun./CyOptics control --password "password" unlock -net