Lock a device Skip Navigation

Lock a device

You can lock an infected or potentially infected device to stop command and control activity, the exfiltration of data, and the lateral movement of malware. You have the following lockdown options:
Lockdown type
Description
Full lockdown (all platforms)
Prevent all network communication from the device. You can lock a device for up to 96 hours. You can use an unlock key to unlock the device before the end of the lockdown period.
Partial lockdown (
CylanceOPTICS
agent 3.1 or later for
Windows
only)
Disable the device's LAN and
Wi-Fi
network capabilities and retain communication with the
CylanceOPTICS
cloud services, allowing
CylanceOPTICS
to continue to receive detections and sensor data. Partial lockdown persists indefinitely. You can unlock the device at any time using an unlock key or the remote unlock feature.
Customized partial lockdown (
CylanceOPTICS
agent 3.2.1140 or later for
Windows
only)
This option is the same as partial lockdown but also allows you to specify additional communication channels that you want to allow during a partial lockdown.
  • On
    Linux
    devices, firewalld must be enabled and running to support the lockdown device feature. Firewalld is available by default with RHEL/CentOS, SUSE 15, and
    Oracle
    Linux
    8 and must be installed manually for
    Ubuntu
    and
    Amazon
    Linux
    2. The lockdown device feature is not supported for SUSE 12.
  • If you want to use a customized partial lockdown, on the menu bar, click
    Settings > Detection and Response > Add New Configuration
    . Specify a name, description, and the IP address, port, and operations (inbound, outbound, bidirectional) for the communication channels that you want to allow during partial lockdown. Click
    Save
    .
  1. In the management console, on the menu bar, click
    CylanceOPTICS > Devices
    .
  2. Click the device name.
  3. Do one of the following:
    Task
    Steps
    Fully lock a device (all platforms)
    1. In the
      Select Action
      drop-down list, click
      Lockdown
      .
    2. If it is a
      Windows
      device, in the drop-down list, click
      Full lockdown
      .
    3. Select a lockdown period.
    4. Click
      Confirm Lockdown
      .
    Partially lock a device (
    CylanceOPTICS
    agent 3.1 or later for
    Windows
    only)
    1. In the
      Select Action
      drop-down list, click
      Lockdown
      .
    2. In the drop-down list, do one of the following:
      • To use the default partial lockdown configuration, click
        Partial lockdown
        .
      • To use one of your custom partial lockdown configurations, click the configuration.
    3. If you want to allow remote response sessions to the device while it is in a partial lockdown state, turn on
      Remote Response
      .
    4. Click
      Confirm Lockdown
      .
    To remotely unlock the device, click the device and in the
    Select Action
    drop-down list, click
    Unlock device
    . Confirm the remote unlock.
  4. If you want to manually unlock a fully or partially locked device, click
    Actions > Show Unlock Key
    . Copy the unique unlock key and run the following commands on the device:
    OS
    Commands
    Windows
    1. Navigate to the
      CylanceOPTICS
      executable folder (by default, C:\Program Files\Cylance\Optics).
    2. Run
      CyOptics.exe control --password
      <unlock_key>
      unlock -a
    macOS
    1. Run
      cd /Library/Application\ Support/Cylance/Optics/CyOptics.app/Contents/Resources
    2. Run
      sudo ../MacOS/CyOptics control --password
      <unlock_key>
      unlock -net
    Linux
    Run
    ./CyOptics control --password "password" unlock -net