CylancePROTECT Desktopalways watches for the execution of malicious processes and alerts the console when anything unsafe or abnormal attempts to run. You can configure the
CylancePROTECT Desktopagent using the following settings that can be found in the
Protection Settingstab in a device policy.
Prevent Service Shutdown from Device
If selected, device users cannot stop the service for the
CylancePROTECT Desktopagent or for the following versions of the
CylancePROTECT Desktopagent version 3.1 and later runs as a trusted service using Antimalware Protected Process Light (AM-PPL) technology from
Microsoft, which also helps prevent the agent from being shut down. This feature requires the device to be running
Windows 101709 or later or
WindowsServer 2019 or later.
Kill Unsafe Running Processes and Their Sub Processes
If this setting is selected, the agent terminates processes and child processes (.exe or .dll), regardless of their state when a threat is detected. This offers a high level of control over malicious processes that might be running on a device.
The file must be auto-quarantined, manually quarantined, or quarantined using the global quarantine list. This feature must be enabled before the file is quarantined. If this feature is enabled but the file is not quarantined or auto-quarantined, the processes will continue to run.
Example:A file is allowed to run, then you decide to quarantine the file. When this setting enabled, the file is quarantined and the process is terminated, along with any child processes. If this setting is disabled, the file would be quarantined, but because the file was allowed to run, any processes started by the file could continue to run.
Background Threat Detection
A full disk scan is performed to detect and analyze any dormant threats on the disk. The full disk scan is designed to minimize impact to the end-user by using a low amount of system resources. The background threat detection scan can take up to one week, depending on how busy the system is and the number of files on the system that require analysis. The date and time that the most recent background scan completed is logged in the console.
You can choose to run the scan once to scan upon installation only, or set it to scan at a recurring interval that you specify. The default scan interval is 10 days. A significant upgrade to the detection model, like adding new operating systems, might also trigger a full disk scan. Note that increasing the frequency of the scans might impact the device performance.
It is recommended that you enable the
Background Threat Detectionsetting to
Run Onceand enable
Watch for New Fileswhich watches for new and updated files on the disk. If you are watching for new and updated files, you need to check scan all existing files once only. Due to the predictive nature of the technology, periodic scans of the entire disk are not necessary but can be implemented for compliance purposes (for example, PCI compliance).
If background threat detection scans are running on several VM devices that are from the same VM host at the same time, device performance will be impacted. Consider incrementally enabling this feature for VM devices to limit the number of scans occurring at same time.
To manually run the scan, use one of the following commands:
Watch for New Files
This setting enables the agent to scan and analyze any new or modified files for dormant threats. If a threat is detected, the file is quarantined even though there wasn't an attempt to execute it. It is recommended that you enable this setting together with background threat detection (run once).
Auto Quarantine (execution control) mode blocks unsafe or abnormal files at execution. Therefore, it is not necessary to enable Watch for New Files when Auto Quarantine mode is also enabled, unless you prefer to quarantine a malicious file as soon as the agent detects the threat during a scan.
This setting might impact performance. Consider monitoring disk or message processing performance to see if it has changed. Excluding specific folders might improve performance and ensure that certain folders and files do not get scanned or analyzed by the agent.
Set Maximum Archive File Size to Scan
Specify the maximum archive file size that you want to agent to scan. This setting applies to
Background Threat Detectionand
Watch for New Filessettings. If you do not want to scan archive files, set the file size to 0 MB.
Exclude Specific Folders
This setting allows you to specify folders and subfolders that you want to exclude from being scanned through the
Background Threat Detectionand
Watch for New Filesfeatures.
Windows, use an absolute path with a drive letter. For example,
macOS, use an absolute path from the root without a drive letter. For example,
Linux, use an absolute path from the root without a drive letter. For example,
Example for Windows:
Example for macOS (without spaces):
Example for macOS (with spaces):
Example for Linux:
The * wildcard is also supported for folder exclusions. See Wildcards in protection settings folder exclusions for more information.
Exclusions are not applied retroactively. After the initial installation of the agent, the Background Threat Detection and Watch for New Files feature ignores files according to the exclusion list that it received. Adding an exclusion after the initial detection or conviction will not retroactively exclude the already detected or convicted files. Any files that were previously detected or convicted will remain in this state until locally waived or added to the Global Safe list.
For example, if Watch for New Files convicts a file named C:\Windows\ccmcache\test.exe and an exclusion is added later to the Protection Settings tab for C:\Windows\ccmcache\, the convicted file will remain convicted even though the folder was added as an exclusion. In this case, it will remain convicted until you waive the file locally or add it to the Global Safe List.
Files that are executed from any folder are subject to Execution Control / Auto-Quarantine, even if they are specified in Exclude Specific Folders. You can enable the Allow Execution setting to allow files to be executed from folders specified in the Exclude Specific Folders list. This setting applies to all of the folders in the list, not just the first or last item entered.
Files and threats that are dropped into these folders will be allowed to execute and could compromise your device and organization. Take precautions to ensure that rogue files cannot be added to excluded folders.
Copy File Samples (Malware)
Specify a shared network drive to store copies of file samples found through background threat detection, watch for new files, and execution control. This allows you to do your own analysis of files that
CylancePROTECT Desktopconsiders unsafe or abnormal.