Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
  - Generate a new SSO callback URL
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Connecting Cylance Endpoint Security to external services
- Integrating Cylance Endpoint Security with Okta
  - Prerequisites for adding an Okta connector
  - Add and configure an Okta connector
- Integrating Cylance Endpoint Security with Mimecast
  - Prerequisites for adding a Mimecast connector
  - Add and configure a Mimecast connector
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Memory actions

The following settings can be found in the

Memory Actions

tab in a device policy. You can enable

Memory Protection

and specify how the

CylancePROTECT Desktop

agent handles memory exploits, including process injections and escalations. You can also add executable files to an exclusion list, allowing these files to run when this policy is applied.

Option	Description
Memory Protection	This setting specifies whether to enable memory protection settings in this policy. When enabled, the agent detects various types of process calls that may be a threat and handles each type according to the setting that you choose. Ignore : The agent does not take any action. Alert : The agent logs the violation and reports the incident to the management console. Block : The agent logs the violation, reports the incident to the management console, and blocks the process call. The application that made the call is allowed to continue to run. Terminate : The agent logs the violation, reports the incident to the management console, blocks the process call, and terminates the application that made the call.
Exclude Executable Files	This setting specifies the relative path of the files that you want to ignore. When files are added to this exclusion list, you allow them to run or be installed on devices that are assigned this policy. You specify the relative path of the file and the violation types that you want to ignore. On Windows devices, you can also specify the absolute file path. Use shortened relative paths with caution because it may exclude other executables that have the same relative path. After applying the exclusion, all instances of that process must be terminated to stop the driver from injecting into it. Windows examples Relative path: \Application\Subfolder\application.exe Absolute path: C:\Application\Subfolder\application.exe Linux examples Relative path: /opt/application/executable Relative path for Dynamic Library files: /executable.dylib macOS examples Relative path without spaces: /Applications/SampleApplication.app/Contents/MacOS/executable Relative path with spaces: /Applications/Sample Application.app/Contents/MacOS/executable Relative path for Dynamic Library Files: /executable.dylib You can can also use wildcards for memory protection exclusions. For more information, see Wildcards in memory protection exclusions. If you save an exclusion without adding at least one violation type to ignore, the exclusion is applied to both memory protection and script control events. Adding at least one violation type to ignore means the exclusion is applied to memory protection only.
Ignore Specific Violation Types	When you add an exclusion, select this checkbox to ignore a file violation based on any or all of the following: Violation type categories (for example, Exploitation, Process Injection, Escalation) Individual violations types under each category (for example, Stack Pivot, Remote Allocation of Memory, Zero Allocate, and so on) When adding exclusions to a memory protection policy, if you want the policy to apply to memory protection violations only and not script control violations, specify at least one violation type that you want to ignore. If you do not select any violation types to ignore, a warning message appears and the exclusion will apply to both memory protection and script control policies. For existing memory protection policies: If the Ignore Specific Violation Types exclusion setting is already checked but the script control policy is not enabled, no action is required. If the Ignore Specific Violation Types exclusion setting is unchecked and you want to ensure the policy is applied to memory protection violations only (and not script control), you must check it and specify at least one the violation type that you want to ignore. If you edit an existing policy and add an exclusion, the “Ignore specific violation types” checkbox is not displayed until you modify the violation type (for example, move it from block to terminate or alert). For each file that has specific violation types that are ignored, you can view detailed information, edit, or delete the settings.
Treat as DLL exclusion	Select this setting when you want to add exclusions for third-party DLLs. For example, if you are running third-party security products in addition to CylancePROTECT Desktop for Windows , you can add an exclusion for the appropriate .dll files so that CylancePROTECT ignores specific violations for those products. This feature supports the Malicious Payload and System DLL Overwrite violation types only. The following rules apply when you specify a DLL exclusion: You must select the Treat as DLL exclusion option in the device policy. The device must be running CylancePROTECT Desktop agent version 3.1.1001 or later on a Windows device. The file path that you specify must be the full, direct path to the .dll file. Wildcards are not allowed. The .dll file must be signed using a certificate that is trusted on the device where CylancePROTECT Desktop is installed. Otherwise, it will not be excluded. For more information about supporting DLL exclusions, visit support.blackberry.com to read KB 108909.

Section:

Using device policies to manage CylancePROTECT Desktop devices

Memory protection violation types

Wildcards in memory protection exclusions

Windows examples of wildcards used in memory protection exclusions

macOS examples of wildcards used in memory protection exclusions