Memory actions
The following settings can be found in the
Memory Actions
tab in a device policy. You can enable Memory Protection
and specify how the CylancePROTECT Desktop
agent handles memory exploits, including process injections and escalations. You can also add executable files to an exclusion list, allowing these files to run when this policy is applied.Option | Description |
---|---|
Memory Protection | This setting specifies whether to enable memory protection settings in this policy. When enabled, the agent detects various types of process calls that may be a threat and handles each type according to the setting that you choose.
|
Exclude Executable Files | This setting specifies the relative path of the files that you want to ignore. When files are added to this exclusion list, you allow them to run or be installed on devices that are assigned this policy. You specify the relative path of the file and the violation types that you want to ignore. On Windows devices, you can also specify the absolute file path. Use shortened relative paths with caution because it may exclude other executables that have the same relative path. After applying the exclusion, all instances of that process must be terminated to stop the driver from injecting into it. Windows examples
Linux examples
macOS examples
You can can also use wildcards for memory protection exclusions. For more information, see Wildcards in memory protection exclusions. If you save an exclusion without adding at least one violation type to ignore, the exclusion is applied to both memory protection and script control events. Adding at least one violation type to ignore means the exclusion is applied to memory protection only. |
Ignore Specific Violation Types | When you add an exclusion, select this checkbox to ignore a file violation based on any or all of the following:
When adding exclusions to a memory protection policy, if you want the policy to apply to memory protection violations only and not script control violations, specify at least one violation type that you want to ignore. If you do not select any violation types to ignore, a warning message appears and the exclusion will apply to both memory protection and script control policies. For existing memory protection policies:
If you edit an existing policy and add an exclusion, the “Ignore specific violation types” checkbox is not displayed until you modify the violation type (for example, move it from block to terminate or alert). For each file that has specific violation types that are ignored, you can view detailed information, edit, or delete the settings. |