CylancePROTECT Desktop release notes Skip Navigation

CylancePROTECT Desktop
release notes

The following tables provide information about the new features of
CylancePROTECT Desktop
in the management console. For the agents, information is available in their separate sections:

What's new in the management console for
CylancePROTECT Desktop
(November 2022)

Feature
Description
Auto-update
Linux
Driver
The
CylancePROTECT Desktop
agent 3.1.1000 for
Linux
devices can now request an update to the latest supported driver when an updated kernel is detected on the system. For example, if the
Linux
kernel is updated and the current installed driver does not support it, the agent can now automatically update the driver as soon as a compatible driver is released. This feature requires
CylancePROTECT Desktop
agent version 3.1.1000 and the agent driver version 3.1.1000 or later. 
To enable this feature, select the
Auto-update Linux Driver
option in the zone-based update rule from the
Settings > Update
menu in the management console.

What's new in the management console for
CylancePROTECT Desktop
(October 2022)

Feature
Description
Custom interval for background threat detection scanning
Administrators can now set a custom interval to run background threat detection scanning from the device policy. The date of the last scan for each device is logged in the management console. The scan interval can be set between 1 and 90 days. The default scan interval is 10 days. Note that increasing the frequency of the scans may impact the device performance. You can also start the scan manually from the command line.
This feature requires
CylancePROTECT Desktop
agent 3.1.1000 or later.

What's new in the management console for
CylancePROTECT Desktop
(March 2022)

Feature
Description
Exclusions for Dangerous VBA Macros
You can now add exclusions for the "Dangerous VBA Macro" violation type in the Memory Protection device policy. Any exclusion settings for macros in the Script Control device policy must be added to the Memory Protection device policy for devices running agent 3.0.1000.
For more information about how to copy exclusions from Script Control to Memory Protection device policies, see KB 91485. For tenants managed from the
Cylance
multi-tenant console, see KB 92149.
Adding exclusions to Memory Protection device policies
When adding exclusions to a Memory Protection device policy, if you want the policy to apply to memory protection violations only and not script control violations, specify at least one violation type that you want to ignore. If you do not select any violation types to ignore, a warning message appears and the exclusion will apply to both Memory Protection and Script Control policies.
For existing Memory Protection policies:
  • If the “Ignore Specific Violation Types” exclusion setting is already checked but the Script Control policy is not enabled, no action is required.
  • If the “Ignore Specific Violation Types” exclusion setting is unchecked and you want to ensure the policy is applied to memory protection violations only (and not script control), you must check it and specify at least one the violation type that you want to ignore.
Detection disabled for embedded VBScripts
Detection of embedded VBScript script control violations is disabled in
CylancePROTECT Desktop
agent 3.0.1000.
Memory Protection: Injection via APC
The “Injection via APC” violation type is now available in the Memory Protection device policy. You can also find these violations in the Exploit Attempts tab when viewing device details. For more information about using this violation type, see KB 92422.
Memory Protection: Memory Permission Changes in Child Processes
The “Memory Permission Changes in Child Processes” violation type is now available in the Memory Protection device policy. You can also find these violations in the Exploit Attempts tab when viewing device details.
Renamed policy: Memory Permission Changes in Other Processes
The “Memory Permission Changes” memory protection violation type is now renamed to “Memory Permission Changes in Other Processes”.
Device Control: Read-only
For
Windows
devices running agent 3.0.1000, you can now allow read-only access to the following USB device types:
  • Still image
  • USB CD/DVD RW
  • USB drive
  • VMware
    USB passthrough
  • Windows
    portable device

What's new in the management console for
CylancePROTECT Desktop
(December 2021)

Feature
Description
Dangerous VBA macros
In a device policy, the macros feature has moved from Script Control to Memory Protection for devices running agent version 3.0.1000 or later. For agent versions 1584 and earlier, continue to use the macros feature under Script Control.
For existing device policies, the policy will be updated the first time the policy is edited after this release. The policy update depends on the script control setting for macros.
  • If script control macros is disabled, then memory protection dangerous VBA macros is set to ignore.
  • If script control macros is set to alert, then memory protection dangerous VBA macros is set to alert.
  • If script control macros is set to block, then memory protection dangerous VBA macros is set to block.
In the management console, the Memory Protection device policy UI states that this policy applies to agent version 1600, which is agent version 3.0.1000.
For more information, see Script control in the
Cylance Endpoint Security
Setup content.
Enhancements
  • New exploitation, process injection, and escalation violation types have been added. When you edit the Memory Protection device policy, the settings for existing violation types are retained. By default, the new violation types are set to Ignore.
  • When you add an exclusion, a new "Ignore Specific Violation Types" check box displays on the Add Exclusion dialog box. If selected, you can then ignore the excluded file for any or all violation categories or individual violations under each category. When you add a memory protection exclusion, you must set at least one violation type to ignore. Otherwise, the exclusion is applied to memory protection and script control.
  • Injection by APC has been added as an exploitation violation type for memory protection.
  • On the Device Details page, operating system names were removed from some Memory Protection violation types. For example, the reference to
    Windows
    was removed from the "System DLL Overwrite" violation type.
  • Updates to memory protection events sent to Syslog servers are described in KB 70992.