CylancePROTECT Desktop threats
CylancePROTECT Desktop
threatsSelecting this option will log any new threats, or changes observed to existing threats, to the syslog server. Examples of changes include removing, quarantining, or waiving threats.
Field | Value | Description |
|---|---|---|
Auto Run | False | The threat is not set to automatically run when the system starts. |
True | The threat is set to automatically run when the system starts. | |
Unknown | It cannot be determined if the threat is set to auto run or not. | |
Cylance Score | Ranges from 1 to 100 | A file with a score ranging from 1 to 59 is considered Abnormal. A file with a score ranging from 60 to 100 is considered Unsafe. |
Detected By | ExecutionControl | The threat is detected by execution control. |
BackgroundThreatDetection | The threat is detected by background threat detection. | |
FileWatcher | The threat is detected when scanning new or modified executable files. | |
NotAvailable | The threat detection information is not available. | |
RunningModuleScan | The threat is detected by running a module scan. | |
Device Name | [varies] | This is the name of the device that the threat was found on. |
Drive Type | [varies] | This is the type of drive or storage device the threat originated from, if known. The drive type includes: CDROM, Fixed, Network, None, No Root Directory, RAM, and Removable. |
Event Name | threat_found | A new threat has been found in an unsafe state. |
threat_cleared | An existing threat has been cleared (removed). This occurs when a threat_removed event is generated. | |
threat_quarantined | A new threat has been found in the quarantined status. | |
threat_waived | A new threat has been found in the waived status. | |
threat_changed | The behavior of an existing threat has changed (examples: score, quarantine status, running status). | |
corrupt_found | A file is classified as corrupt because the file appears to be malformed and cannot run, or the file may contain a malformed file structure. | |
Event Type | Threat | This is a threat event. |
File Name | [varies] | This is the name of the threat (file). |
File Owner | [varies] | This is the owner of the threat (file). |
File Type | Archive | The file is an archive file. |
Executable | The file is a Windows executable. | |
Linuxexe | The file is a Linux executable. | |
MacOSExe | The file is a macOS executable. | |
Ole | The file is a Microsoft Office file. | |
Pdf | The file is a PDF. | |
Unknown | The file type could not be determined. | |
Found Date | [varies] | This is the date and time that the threat was found on the device. |
IP Address | [varies] | This is the IP address or IP addresses for the device. |
Is Malware | False | The threat is not classified as malware (Threat Classification). |
True | The threat is classified as malware (Threat Classification). | |
Is Running | False | The threat is not running. |
True | The threat is currently running. | |
Is Unique To | False | The threat is not uniquely identifiable by CylancePROTECT Desktop . |
True | The threat is uniquely identifiable by CylancePROTECT Desktop . | |
MD5 | [varies] | This is the MD5 hash for the file. |
Path | [varies] | This is the path to the file. |
Policy Name | [varies] | This is the name of the devicy policy. |
SHA256 | [varies] | This is the SHA256 hash for the file. |
Status | Abnormal | The threat is considered abnormal. |
Cleared | The administrator added the threat to the global safe list or deleted the threat in the management console, or the user deleted the threat on the device. | |
Corrupt | The file is corrupt or otherwise invalid. | |
Quarantined | The file has been quarantined because an administrator added it to the global quarantine list or quarantined it on a specific device. | |
Unsafe | The threat is considered unsafe. | |
Waived | The administrator waived the file, allowing it to run on a specific device. | |
Threat Classification | [Threat class] - [Threat subclass] - [Threat family name] | The threat classification indicates the threat class, threat subclass, and threat family name. The possible class and subclass values are detailed below. The value of family name varies depending on the nature of the threat. |
[Threat class] values | ||
Dual Use | The file can be used for malicious and non-malicious purposes. | |
File Unavailable | The file is unavailable for analysis. For example, the file is too large to upload. | |
Malware | The file has been identified as malicious. | |
Possible PUP | The file might be a potentially unwanted program (PUP). | |
PUP | The file has been identified as a possible potentially unwanted program (PUP). | |
Trusted | The file has been identified as safe. | |
[Threat subclass] values | ||
Adware | The file has advertisements or unwanted bundled add-ons. | |
Backdoor | The file provides unauthorized access. | |
Bot | The file contains malware that connects to a botnet server. | |
Corrupt | The file is malformed or unable to run. | |
Crack | The file is altered to bypass licensing. | |
Downloader | The file contains malware that downloads data. | |
Dropper | The file contains malware that installs other malware. | |
Exploit | The file attacks a specific vulnerability. | |
Fake Alert | The file contains malware that appears to be legitimate security software. | |
Fake AV | The file contains malware that appears to be legitimate security software. | |
Game | This is a game file. | |
Generic | This file does not fit into any existing category. | |
Hacking Tool | This file is a hacking tool. | |
Infostealer | This file records login credentials and other sensitive information. | |
Keygen | This file generates product keys. | |
Monitoring Tool | This file tracks a user’s activities. | |
Other | This is a category used for PUPs that don’t fit anything else. | |
Parasitic | This threat is spread by attacking other programs. | |
Pass Crack | This file is used to reveal passwords. | |
Portable Application | This file is designed to run without needing installation. | |
Ransom | This file restricts access. | |
Remnant | These are remnants post removal. | |
Remote Access | This file can access another system remotely. | |
Rootkit | This file avoids detection. | |
Scripting Tool | This is any script that can run as if it were an executable. | |
Tool | These are administrative features used to attack or intrude. | |
Toolbar | This is any technology that places additional buttons or input boxes on-screen. | |
Trojan | This file disguises itself as legitimate software. | |
Virus | This file inserts or appends itself to other files. | |
Worm | This file propagates by copying itself to another device. | |
Example message for threat events
BlackBerry Protect Desktop: Event Type: Threat, Event Name: threat_found, Device Name: SH-Win81-1, IP Address: (10.3.0.132), File Name: virusshare_00fbc4cc4b42774b50a9f71074b79bd9, Path: c:\ruby\host_automation\test\data\test_files\, Drive Type: None, File Owner: SH-Win81-1\Exampleuser, SHA256: 1EBF3B8A61A7E0023AAB3B0CB24938536A1D87BCE1FCC6442E137FB2A7DD510B, MD5: , Status: Unsafe, Cylance Score: 100, Found Date: 6/1/2015 10:57:42 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher), Zone Names: (Script Test,Server Test), Is Malware: False, Is Unique to Cylance: False, Threat Classification: File Unavailable