Protection settings Skip Navigation

Protection settings

CylancePROTECT Desktop
always watches for the execution of malicious processes and alerts the console when anything unsafe or abnormal attempts to run. Use the protection settings to configure the
CylancePROTECT Desktop
agent.
Option
Description
Prevent Service Shutdown from Device
If this setting is selected, device users cannot stop the service for the
CylancePROTECT Desktop
agent or the service for the
CylanceOPTICS
agent for
Windows
version 3.1 or later, either manually or by another process. If you want to use this feature for the
CylanceOPTICS
agent for
Windows
,
CylancePROTECT Desktop
agent version 3.0 or later is required.
Kill Unsafe Running Processes and Their Sub Processes
If this setting is selected, the agent terminates processes and child processes, regardless of their state when a threat is detected (.exe or .dll). This offers a high level of control over malicious processes that might be running on a device.
The file must be auto-quarantined, manually quarantined, or quarantined using the global quarantine list. This feature must be enabled before the file is quarantined. If this feature is enabled but the file is not quarantined or auto-quarantined, the processes will continue to run.
Example:
A file is allowed to run, then you decide to quarantine the file. With this feature enabled, the file is quarantined and the process is terminated. If disabled, the file would be quarantined, but because the file was allowed to run, any processes started by the file could continue to run.
Background Threat Detection
A full disk scan is performed to detect and analyze any dormant threats on the disk. The full disk scan is designed to minimize impact to the end-user by using a low amount of system resources. The background threat detection scan can take up to one week, depending on how busy the system is and the number of files on the system that require analysis.
You can choose to run the scan once to scan upon installation only, or set it to scan recurringly at an interval that you specify. The default scan interval is 10 days. A significant upgrade to the detection model, like adding new operating systems, may also trigger a full disk scan. Note that increasing the frequency of the scans may impact the device performance.
It is recommended that you enable the
Background Threat Detection
setting to
Run Once
and enable
Watch for New Files
which watches for new and updated files on the disk. If you are watching for new and updated files, you need to check scan all existing files once only. Due to the predictive nature of the technology, periodic scans of the entire disk are not necessary but can be implemented for compliance purposes (for example, PCI compliance).
To manually run the scan, use one of the following commands:
  • On
    Windows
    devices:
    C:\Program Files\Cylance\Desktop\CylanceSvc.exe /backgroundscan
  • On
    macOS
    devices:
    /Applications/Cylance/CylanceUI.app/Contents/MacOS/CylanceUI -background-scan
  • On
    Linux
    devices:
    /opt/cylance/desktop/Cylance -b /opt/cylance/desktop/Cylance --start-bg-scan
Watch for New Files
This setting enables the agent to scan and analyze any new or modified files for dormant threats. If a threat is detected, the file is quarantined even though there wasn't an attempt to execute it. It is recommended that you enable this setting together with background threat detection (run once).
Auto Quarantine (execution control) mode blocks unsafe or abnormal files at execution. Therefore, it is not necessary to enable Watch for New Files when Auto Quarantine mode is also enabled, unless you prefer to quarantine a malicious file as soon as the agent detects the threat during a scan.
This setting might impact performance. Consider monitoring disk or message processing performance to see if it has changed. Excluding specific folders might improve performance and ensure that certain folders and files do not get scanned or analyzed by the agent.
Set Maximum Archive File Size to Scan
Set the maximum archive file size that you want to agent to scan. This setting applies to
Background Threat Detection
and
Watch for New Files
settings. If you do not want to scan archive files, set the file size to 0 MB.
Exclude Specific Folders
This setting allows you to specify folders and subfolders that you want to exclude from being scanned through the
Background Threat Detection
and
Watch for New Files
features.
For
Windows
, use an absolute path with a drive letter. For example,
C:\Test
.
For
macOS
, use an absolute path from the root without a drive letter. For example,
/Applications/SampleApplication.app
.
For
Linux
, use an absolute path from the root without a drive letter. For example,
/opt/application
.
Exclude specific folders, including subfolders, from background threat detection and/or watch for new files (when these features are enabled) by specifying the path of the folder location. For Windows, use an absolute path (including the drive letter). For
macOS
or
Linux
, use an absolute path from the drive root (
macOS
and
Linux
don't use a drive letter) and remember to escape any spaces in the path.
Example —
Windows: C:\Test
Example —
macOS, exclusion without spaces: /Applications/SampleApplication.app
Example —
macOS, exclusion with spaces: /Applications/ Sample\ Application.app
Example —
Linux: /opt/application/
The * wildcard is also supported for folder exclusions. See Use wildcards in protection settings folder exclusions for more information.
Exclusions are not applied retroactively. Any files that were previously detected or convicted will remain in this state until locally waived or added to the Global Safe list. Adding an exclusion after the initial detection or conviction will not retroactively exclude the already detected or convicted files.
For example, if Watch for New Files convicts a file named C:\Windows\ccmcache\test.exe and an exclusion is added to the Protection Settings tab for C:\Windows\ccmcache\, the convicted file will remain convicted despite the new folder exclusion until the file is locally waived or added to the Global Safe List.
This does not apply to devices with fresh installations of  the agent. If the device receives a policy with relevant Protection Settings exclusions after initial installation, all files in the exclusion locations will be ignored by background threat detection and watch for new files.
Allow Execution
Files that are executed from any folder, including an excluded folder, will be analyzed by Execution Control / Auto-Quarantine. To prevent this from occurring, you can enable Allow Execution. Allow Execution applies to all of the folders listed under Exclude Specific Folders, not just the first or last item entered.
Threats dropped into these folders will be allowed to execute and could compromise your device and organization. Precautions should be taken to ensure that rogue files cannot be added to excluded folders.
Copy File Samples (Malware)
Specify a shared network drive to store copies of file samples found through background threat detection, watch for new files, and execution control. This allows you to do your own analysis of files that
CylancePROTECT Desktop
considers unsafe or abnormal.
  • CIFS/SMB network shares are supported.
  • Specify one network share location. You should use a fully qualified path. Example:
    \\server_name\shared_folder
    .
  • All files meeting the criteria will be copied to the network share, even if they are duplicates. No uniqueness test is performed.
  • Files are compressed. This requires agent version 1390 or higher.
  • Files are password protected. This requires agent version 1390 or higher. The password is "infected".