File actions Skip Navigation

File actions

The following settings can be found in the
File Actions
tab in a device policy. They specify how the
CylancePROTECT Desktop
agent handles a file when it detects a threat that it considers to be unsafe or abnormal.
Auto Quarantine with Execution Control
This setting specifies whether to automatically quarantine unsafe or abnormal files to prevent them from executing. If you want to quarantine abnormal files, you must first select the option to quarantine unsafe files. Unsafe files contain significantly more malware attributes and are more likely to be malware than abnormal files.
When a file is quarantined, the following occurs:
  • The file is renamed with a
  • The file is moved from its original location to one of the following quarantine directories:
    • For
    • For
      /Library/Application Support/Cylance/Desktop/q
    • For
  • The Access Control List (ACL) for the file is modified to prevent to prevent the user from interacting with the file.
Some malware is designed to create files in other directories and continues to do so until it is successful. Instead of removing the files,
CylancePROTECT Desktop
modifies them so that the malware doesn't try to create them again and so that they could not be executed.
Enable auto-delete for quarantined files
This setting specifies whether to automatically delete quarantined files after a specified number of days. For example, you can set it so that a file is deleted after it has been quarantined for 14 days. The number of days can range from 14 to 365.
When the file is deleted, the following occurs:
  • The action is included in the agent log file for verification and auditing purposes.
  • The file is removed from the quarantine list in the agent UI.
Auto Upload
Make sure that you enable
Auto Upload
for all available file types. If the agent finds a file that
cloud services has never analyzed before, it requests to upload the file for analysis.
CylancePROTECT Desktop
only uploads and analyzes unknown files such as Portable Executable (PE), Executable and Linkable Format (ELF) and Mach Object file format (Mach-O) files. If the same unknown file is discovered on multiple devices in the organization,
CylancePROTECT Desktop
uploads one file only from a single device for analysis, not one file per device.
Policy Safe List
Add files that you consider to be safe to the policy safe list to allow them to run.  The policy safe list takes precedence over the global safe list or global quarantine list. For example, a file that is added to the policy safe list is allowed to run on a device that is assigned the policy, even if that file is in the global quarantine list which blocks files from running on all devices.