Skip Navigation

Benefits of upgrading to
CylancePROTECT Desktop
3.x

CylancePROTECT Desktop version 3.x represents a significant leap forward for the product, introducing new features and usability enhancements to keep your organization’s data and devices secure.
Upgrading to
CylancePROTECT Desktop
for 3.x will give you access to the following features:
Windows
Feature
Description
OS compatibility
The
Windows
3.x agent adds support for
Windows
11.
For more information, see the
CylancePROTECT Desktop
compatibility matrix.
Agent enhancements
  • The
    Windows
     3.1 agent runs as a trusted service using Antimalware Protected Process Light (AM-PPL) technology from Microsoft, which protects the agent's security processes from malicious actions. For example, it helps protect the agent from being terminated. This feature requires the endpoint to be running Windows 10 1709 or later, or Windows Server 2019 or later.
  • The
    Windows
    3.2 agent reports a list of applications that are installed on endpoint devices to the management console. This feature allows administrators to identify applications that are installed on endpoint devices that may be a source of vulnerabilities, prioritize actions against vulnerabilities, and address them accordingly. Administrators can view all applications that are installed on endpoints that are registered with the tenant and view a list of applications that are installed on individual endpoints. This feature can be enabled from the device policy (agent settings).
Memory protection enhancements
  • New capabilities have been added to violation types, resulting in the generation of more events.
  • The “Injection via APC” violation type is available in the memory protection settings of a device policy. This option enables
    CylancePROTECT Desktop
    to detect a process that is injecting arbitrary code into the target process using an asynchronous procedure call (APC). For more information, see KB 92422.
  • The “Memory Permission Changes in Child Processes” violation type is available in the memory protection settings of a device policy. This option enables
    CylancePROTECT Desktop
    to detect when a violating process has created a child process and has modified memory access permissions in that child process.
  • Usability for memory protection controls has been improved.
  • Improved detection of LSASS read violations for
    Windows
    devices.
  • The size limit for memory protection exclusions has been increased from 64 KB to 2 MB, allowing you to add more exclusions.
  • Exclusions for third-party application DLLs are now supported to allow third-party apps to run alongside
    CylancePROTECT Desktop
    . For example, if you are running third-party security products in addition to CylancePROTECT, you can add an exclusion for the appropriate .dll files so that CylancePROTECT ignores specific violations for those products. This feature requires agent 3.1.1001 or later. For more information, see the Treat as DLL exclusion setting in the memory protection device policy.
  • The memory protection sensor for the malicious payload violation type has been improved to help improve accuracy of violation reporting and reduce unnecessary alerts. This feature requires agent 3.1.1001 or later.
Protection enhancements
  • Windows
    3.1 agent supports the ability for administrators to set a custom interval to run background threat detection scanning from the device policy (protection settings). The scan interval can be set between 1 and 90 days. The default scan interval is 10 days. Note that increasing the frequency of the scans may impact the device performance.
  • Windows
    3.2 agent supports the ability for administrators to initiate a background threat detection scan on demand from the management console. The command can be sent from the Device Details screen for an individual device, or for multiple devices at once from the Devices screen.
  • The date of the last scan for each device is logged in the management console.
Script control enhancements
  • You can select whether you want
    CylancePROTECT Desktop
    to alert on or block
    Python
    (2.7, 3.0 to 3.8) and .NET DLR scripts (for example, IronPython), and you can turn off script control for these script types.
  • Embedded VB scripts that caused script control events were blocked in agent version 2.1.1580; detection of embedded VB script control violations has been disabled in agent 3.0.1000 and later.
  • The
    Windows
    3.1 agent works with Microsoft's anti-malware scan interface (AMSI) so that when a potentially dangerous XLM macro is executed, threat information is reported to the management console, and the agent responds to the interface according to the device policy rules for script control events. For example, the agent responds whether to allow or block the macro from running. This feature is enabled from the Script Control > XLM Macros setting in the device policy and requires the device to be running
    Windows
    10. Make sure to disable VBA macros in the
    Excel
    File > Trust Center > Excel Trust Center > Macro Settings
    menu.
  • The
    Windows
    agent reports parent and interpreter processes to the Cylance console when a potentially malicious script is executed. Administrators can add exclusions for either a parent process or interpreter process of a script to allow the script to run on a device. This feature requires agent version 3.1.1001.
  • The
    Windows
    3.2 agent supports enhanced script control using script scoring. Scripts that have an unsafe or abnormal threat score can be intelligently blocked from executing and alerted to the management console. Administrators can configure the script control settings in the device policy to block scripts that CylancePROTECT considers to be unsafe or abnormal.
  • The
    Windows
    3.2 agent supports Alert mode for PowerShell Console scripts, so that detected events are reported to the management console while still allowing them to run. Administrators can control the setting from the Script Control tab in the device policy using the PowerShell Console drop-down menu.
  • The
    Windows
    3.3 agent allows administrators to separately control how the larger scripts (for example, PowerShell scripts larger than 5 MB) are reported to the
    Cylance
    console when a threat is detected. The separate setting allows administrators to focus on tuning the detection of smaller scripts, which are more likely to be malicious than IT scripts (which are typically larger in size), and enables the agent to achieve optimal blocking posture faster. You can apply the policy settings for each type of script (which includes blocking the script from running) so that these threats are managed together regardless of the size of the script. You can also manage them separately by only sending alerts to the console, or ignoring alerts for large scripts.
Macro detection enhancements
  • In device policies, the macro detection feature for
    Windows
    devices has been moved from the Script Control tab to the Memory Actions tab (Exploitation > Dangerous VBA Macro) for devices running
    Windows
    agent version 2.1.158x or later. The previous script control option for 2.1.1578 and earlier supports the Alert and Block actions; the new memory protection option supports the Ignore, Alert, Block, and Terminate actions.
  • You can now add exclusions for the Dangerous VBA Macro violation type in the memory protection settings of a device policy.
  • Files that cause Dangerous VBA Macro violations are displayed in the management console, allowing you to identify offending documents and determine if you need to add them to the exclusion list.
Device control enhancements
You can now allow read-only access to the following USB device types:
  • Still image
  • USB CD/DVD RW
  • USB drive
  • VMware USB passthrough
  • Windows portable device
Global safe list enhancements
Adding a SHA256 hash to the global safe list for scripts now masks any block events related to that hash from appearing in the management console.
Logging changes
Important log entries have been moved from the Debug log level to the Info log level.
Linux
Feature
Description
OS compatibility
The
Linux
3.3.x agent adds support for the following
Linux
distributions:
  • Alma
    Linux
    9
  • Alma
    Linux
    8
  • Debian
    12
  • Rocky
    Linux
    9
  • Rocky
    Linux
    8
  • Ubuntu
    24.04
The
Linux
3.2.x agent adds support for the following
Linux
distributions:
  • Amazon
    Linux
    2023
  • Amazon
    Linux
    2, kernel 5.10
The
Linux
3.1.x agent adds support for the following
Linux
distributions:
  • Red Hat
    Enterprise
    Linux
    9 and 9.1
  • Oracle
    9 and 9.1
  • Oracle
    UEK 9 and 9.1
  • Oracle
    8.7
  • Oracle
    UEK 8.7
  • SUSE
    Linux
    Enterprise Server (SLES) 15 SP4
  • Ubuntu
    22.04 LTS
The
Linux
3.0.x agent adds support for the following
Linux
distributions:
  • Red Hat
    Enterprise
    Linux
    /CentOS 8.4
  • Red Hat
    Enterprise
    Linux
    8.5
  • Oracle
    8.4
  • SUSE
    (SLES) 12 SP5
  • SUSE
    (SLES) 15 SP2 and SP3
For more information, see the CylancePROTECT Desktop compatibility matrix. To view the full list of supported
Linux
kernels and drivers, download the Supported Linux Kernels spreadsheet.
Background threat detection on-demand scan
Administrators can now initiate a background threat detection scan on demand from the management console. The command can be sent from the Device Details screen for an individual device, or for multiple devices at once from the Devices screen.
This feature requires
CylancePROTECT Desktop
agent version 3.2.
The date of the last scan for each device is logged in the management console.
Custom interval for background threat detection scanning
  • Administrators can set a custom interval to run background threat detection scanning from the device policy. The scan interval can be set between 1 and 90 days. The default scan interval is 10 days.
  • This feature requires
    CylancePROTECT Desktop
    agent version 3.1.
  • The date of the last scan for each device is logged in the management console.
Auto-update
Linux
Driver
  • The
    CylancePROTECT Desktop
    agent 3.1.1000 for
    Linux
    devices can now request an update to the latest supported agent driver when an updated kernel is detected on the system. For example, if the
    Linux
    kernel is updated and the current installed agent driver does not support it, the agent can now automatically update the driver as soon as a compatible driver is released.
  • This feature requires
    CylancePROTECT Desktop
    agent version 3.1.1000 and the agent driver version 3.1.1000 or later.
  • To enable this feature, select the Auto-update
    Linux
    Driver option in the zone-based update rule from the Settings > Update menu in the management console.
Memory protection enhancements
  • New capabilities have been added to violation types, resulting in the generation of more events.
  • Usability for memory protection controls has been improved.
  • The size limit for memory protection exclusions has been increased from 64 KB to 2 MB, allowing you to add more exclusions.
macOS
Feature
Description
OS compatibility
  • The
    CylancePROTECT Desktop
    3.2.x agent adds support for
    macOS
    14 (Sonoma).
  • The
    CylancePROTECT Desktop
    3.1.x agent adds support for
    macOS
    13 (Ventura).
  • The
    CylancePROTECT Desktop
    3.0.x agent adds support for
    macOS
    12 (Monterey).
USB device control
The
CylancePROTECT Desktop
agent for
macOS
3.3 supports the USB device control feature, which allows administrators to control whether to allow or block access to USB mass storage devices. Administrators can turn on device control for
macOS
devices from the device policy for storage devices classified as USB optical drives or USB storage drives (such as hard drives or flash drives).
Background threat detection on-demand scan
Administrators can now initiate a background threat detection scan on demand from the management console. The command can be sent from the Device Details screen for an individual device, or for multiple devices at once from the Devices screen. This feature requires
CylancePROTECT Desktop
agent version 3.2.
The date of the last scan for each device is logged in the management console.
Custom interval for background threat detection scanning
  • Administrators can set a custom interval to run background threat detection scanning from the device policy. The scan interval can be set between 1 and 90 days. The default scan interval is 10 days.
  • The date of the last scan for each device is logged in the management console.
Memory protection enhancements
  • New capabilities have been added to violation types, resulting in the generation of more events.
  • Usability for memory protection controls has been improved.
  • The size limit for memory protection exclusions has been increased from 64 KB to 2 MB, allowing you to add more exclusions.
For more information about additional features for the latest 3.x agents, as well as a comprehensive list of fixed issues, see the Cylance Endpoint Security Release Notes.
To benefit from these enhancements and the improvements coming in future versions of
CylancePROTECT Desktop
,
BlackBerry
strongly recommends upgrading all devices with the 2.x.158x agent or earlier to the latest version of agent 3.x. This guide covers considerations and additional instructions for a successful upgrade.