Benefits of upgrading to CylancePROTECT Desktop 3.x

CylancePROTECT Desktop version 3.x represents a significant leap forward for the product, introducing new features and usability enhancements to keep your organization’s data and devices secure.

Upgrading to

CylancePROTECT Desktop

for 3.x will give you access to the following features:

Windows

Feature	Description
OS compatibility	The Windows 3.x agent adds support for Windows 11. For more information, see the CylancePROTECT Desktop compatibility matrix.
Agent enhancements	The Windows 3.1 agent runs as a trusted service using Antimalware Protected Process Light (AM-PPL) technology from Microsoft, which protects the agent's security processes from malicious actions. For example, it helps protect the agent from being terminated. This feature requires the endpoint to be running Windows 10 1709 or later, or Windows Server 2019 or later. The Windows 3.2 agent reports a list of applications that are installed on endpoint devices to the management console. This feature allows administrators to identify applications that are installed on endpoint devices that may be a source of vulnerabilities, prioritize actions against vulnerabilities, and address them accordingly. Administrators can view all applications that are installed on endpoints that are registered with the tenant and view a list of applications that are installed on individual endpoints. This feature can be enabled from the device policy (agent settings).
Memory protection enhancements	New capabilities have been added to violation types, resulting in the generation of more events. The “Injection via APC” violation type is available in the memory protection settings of a device policy. This option enables CylancePROTECT Desktop to detect a process that is injecting arbitrary code into the target process using an asynchronous procedure call (APC). For more information, see KB 92422. The “Memory Permission Changes in Child Processes” violation type is available in the memory protection settings of a device policy. This option enables CylancePROTECT Desktop to detect when a violating process has created a child process and has modified memory access permissions in that child process. Usability for memory protection controls has been improved. Improved detection of LSASS read violations for Windows devices. The size limit for memory protection exclusions has been increased from 64 KB to 2 MB, allowing you to add more exclusions. Exclusions for third-party application DLLs are now supported to allow third-party apps to run alongside CylancePROTECT Desktop . For example, if you are running third-party security products in addition to CylancePROTECT, you can add an exclusion for the appropriate .dll files so that CylancePROTECT ignores specific violations for those products. This feature requires agent 3.1.1001 or later. For more information, see the Treat as DLL exclusion setting in the memory protection device policy. The memory protection sensor for the malicious payload violation type has been improved to help improve accuracy of violation reporting and reduce unnecessary alerts. This feature requires agent 3.1.1001 or later.
Protection enhancements	Windows 3.1 agent supports the ability for administrators to set a custom interval to run background threat detection scanning from the device policy (protection settings). The scan interval can be set between 1 and 90 days. The default scan interval is 10 days. Note that increasing the frequency of the scans may impact the device performance. Windows 3.2 agent supports the ability for administrators to initiate a background threat detection scan on demand from the management console. The command can be sent from the Device Details screen for an individual device, or for multiple devices at once from the Devices screen. The date of the last scan for each device is logged in the management console.
Script control enhancements	You can select whether you want CylancePROTECT Desktop to alert on or block Python (2.7, 3.0 to 3.8) and .NET DLR scripts (for example, IronPython), and you can turn off script control for these script types. Embedded VB scripts that caused script control events were blocked in agent version 2.1.1580; detection of embedded VB script control violations has been disabled in agent 3.0.1000 and later. The Windows 3.1 agent works with Microsoft's anti-malware scan interface (AMSI) so that when a potentially dangerous XLM macro is executed, threat information is reported to the management console, and the agent responds to the interface according to the device policy rules for script control events. For example, the agent responds whether to allow or block the macro from running. This feature is enabled from the Script Control > XLM Macros setting in the device policy and requires the device to be running Windows 10. Make sure to disable VBA macros in the Excel File > Trust Center > Excel Trust Center > Macro Settings menu. The Windows agent reports parent and interpreter processes to the Cylance console when a potentially malicious script is executed. Administrators can add exclusions for either a parent process or interpreter process of a script to allow the script to run on a device. This feature requires agent version 3.1.1001. The Windows 3.2 agent supports enhanced script control using script scoring. Scripts that have an unsafe or abnormal threat score can be intelligently blocked from executing and alerted to the management console. Administrators can configure the script control settings in the device policy to block scripts that CylancePROTECT considers to be unsafe or abnormal. The Windows 3.2 agent supports Alert mode for PowerShell Console scripts, so that detected events are reported to the management console while still allowing them to run. Administrators can control the setting from the Script Control tab in the device policy using the PowerShell Console drop-down menu.
Macro detection enhancements	In device policies, the macro detection feature for Windows devices has been moved from the Script Control tab to the Memory Actions tab (Exploitation > Dangerous VBA Macro) for devices running Windows agent version 2.1.158x or later. The previous script control option for 2.1.1578 and earlier supports the Alert and Block actions; the new memory protection option supports the Ignore, Alert, Block, and Terminate actions. You can now add exclusions for the Dangerous VBA Macro violation type in the memory protection settings of a device policy. Files that cause Dangerous VBA Macro violations are displayed in the management console, allowing you to identify offending documents and determine if you need to add them to the exclusion list.
Device control enhancements	You can now allow read-only access to the following USB device types: Still image USB CD/DVD RW USB drive VMware USB passthrough Windows portable device
Global safe list enhancements	Adding a SHA256 hash to the global safe list for scripts now masks any block events related to that hash from appearing in the management console.
Logging changes	Important log entries have been moved from the Debug log level to the Info log level.

Linux

Feature	Description
OS compatibility	The Linux 3.2.x agent adds support for the following Linux distributions: Amazon Linux 2023 Amazon Linux 2, kernel 5.10 The Linux 3.1.x agent adds support for the following Linux distributions: Red Hat Enterprise Linux 9 and 9.1 Oracle 9 and 9.1 Oracle UEK 9 and 9.1 Oracle 8.7 Oracle UEK 8.7 SUSE Linux Enterprise Server (SLES) 15 SP4 Ubuntu 22.04 LTS The Linux 3.0.x agent adds support for the following Linux distributions: Red Hat Enterprise Linux /CentOS 8.4 Red Hat Enterprise Linux 8.5 Oracle 8.4 SUSE (SLES) 12 SP5 SUSE (SLES) 15 SP2 and SP3 For more information, see the CylancePROTECT Desktop compatibility matrix. To view the full list of supported Linux kernels and drivers, download the Supported Linux Kernels spreadsheet.
Background threat detection on-demand scan	Administrators can now initiate a background threat detection scan on demand from the management console. The command can be sent from the Device Details screen for an individual device, or for multiple devices at once from the Devices screen. This feature requires CylancePROTECT Desktop agent version 3.2. The date of the last scan for each device is logged in the management console.
Custom interval for background threat detection scanning	Administrators can set a custom interval to run background threat detection scanning from the device policy. The scan interval can be set between 1 and 90 days. The default scan interval is 10 days. This feature requires CylancePROTECT Desktop agent version 3.1. The date of the last scan for each device is logged in the management console.
Auto-update Linux Driver	The CylancePROTECT Desktop agent 3.1.1000 for Linux devices can now request an update to the latest supported agent driver when an updated kernel is detected on the system. For example, if the Linux kernel is updated and the current installed agent driver does not support it, the agent can now automatically update the driver as soon as a compatible driver is released. This feature requires CylancePROTECT Desktop agent version 3.1.1000 and the agent driver version 3.1.1000 or later. To enable this feature, select the Auto-update Linux Driver option in the zone-based update rule from the Settings > Update menu in the management console.
Memory protection enhancements	New capabilities have been added to violation types, resulting in the generation of more events. Usability for memory protection controls has been improved. The size limit for memory protection exclusions has been increased from 64 KB to 2 MB, allowing you to add more exclusions.

macOS

Feature	Description
OS compatibility	The CylancePROTECT Desktop 3.2.x agent adds support for macOS 14 (Sonoma). The CylancePROTECT Desktop 3.1.x agent adds support for macOS 13 (Ventura). The CylancePROTECT Desktop 3.0.x agent adds support for macOS 12 (Monterey).
Background threat detection on-demand scan	Administrators can now initiate a background threat detection scan on demand from the management console. The command can be sent from the Device Details screen for an individual device, or for multiple devices at once from the Devices screen. This feature requires CylancePROTECT Desktop agent version 3.2. The date of the last scan for each device is logged in the management console.
Custom interval for background threat detection scanning	Administrators can set a custom interval to run background threat detection scanning from the device policy. The scan interval can be set between 1 and 90 days. The default scan interval is 10 days. The date of the last scan for each device is logged in the management console.
Memory protection enhancements	New capabilities have been added to violation types, resulting in the generation of more events. Usability for memory protection controls has been improved. The size limit for memory protection exclusions has been increased from 64 KB to 2 MB, allowing you to add more exclusions.

For more information about additional features for the latest 3.x agents, as well as a comprehensive list of fixed issues, see the Cylance Endpoint Security Release Notes.

To benefit from these enhancements and the improvements coming in future versions of

CylancePROTECT Desktop

,

BlackBerry

strongly recommends upgrading all devices with the 2.x.158x agent or earlier to the latest version of agent 3.x. This guide covers considerations and additional instructions for a successful upgrade.