CylancePROTECT Desktop application control
CylancePROTECT Desktop
application controlThis option is only visible to users who have the application control feature enabled. Application control events represent actions occurring when the device is in application control mode. Selecting this option will send a message to the syslog server whenever an attempt is made to modify or copy an executable file, or when an attempt is made to execute a file from an external device or network location.
Field | Value | Description |
---|---|---|
Action | Allow | The event was allowed. |
Deny | The event was denied. | |
Action Type | Execution | An attempt to execute a file from the local drive was detected. |
ExecutionFromExternalDrive | An attempt to execute from an external drive or USB drive was detected. | |
PEFileChange | An attempt to change a portable executable file on the file system was detected. This includes copying files onto the file system. | |
Unknown | The action type could not be determined. | |
Device Name | [varies] | This is the name of the device. |
Event Name | Execution | An attempt to execute a file from a local drive was detected. |
ExecutionFromExternalDrive | An attempt to execute from an external drive or USB drive was detected. | |
PEFileChange | An attempt to change a portable executable file on the file system was detected. This includes copying files onto the file system. | |
Unknown | The event name could not be determined. | |
Event Type | AppControl | This is an application control event. |
File Path | [varies] | This is the path to the file. |
IP Address | [varies] | This is the IP address for the device. Multiple IP addresses are comma separated values. |
SHA256 | [varies] | This is the SHA256 hash for the file. |
Zone Names | [varies] | These are the zones that the device belongs to. |
Denying portable executable file changes
BlackBerry Protect Desktop: Event Type: AppControl, Event Name: pechange, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: PEFileChange, Action Type: Deny, File Path: C:\Users\admin\AppData\Local\Temp\MyInstaller.exe, SHA256: 04D4DC02D96673ECA9050FE7201044FDB380E3CFE0D727E93DB35A709B45EDAA), Zone Names: (Script Test,Server Test)
Denying executions from an internal device
BlackBerry Protect Desktop: Event Type: AppControl, Event Name: executionfromexternaldrives, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: PEFileChange, Action Type: Allow, File Path: \\shared1\psexec.exe, SHA256: F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB02670D5), Zone Names: (Script Test,Server Test)