Protection settings Skip Navigation

Protection settings

CylancePROTECT Desktop
always watches for the execution of malicious processes and alerts the console when anything unsafe or abnormal attempts to run. You can configure the
CylancePROTECT Desktop
agent using the following settings that can be found in the
Protection Settings
tab in a device policy.
Option
Description
Prevent Service Shutdown from Device
If selected, device users cannot stop the service for the
CylancePROTECT Desktop
agent or for the following versions of the
CylanceOPTICS
agent:
  • CylanceOPTICS
    agent for
    Windows
    3.1 or later with
    CylancePROTECT Desktop
    3.0 or later
CylancePROTECT Desktop
agent version 3.1 and later runs as a trusted service using Antimalware Protected Process Light (AM-PPL) technology from
Microsoft
, which also helps prevent the agent from being shut down. This feature requires the device to be running
Windows 10
1709 or later or
Windows
Server 2019 or later.
Kill Unsafe Running Processes and Their Sub Processes
If this setting is selected, the agent terminates processes and child processes (.exe or .dll), regardless of their state when a threat is detected. This offers a high level of control over malicious processes that might be running on a device.
The file must be auto-quarantined, manually quarantined, or quarantined using the global quarantine list. This feature must be enabled before the file is quarantined. If this feature is enabled but the file is not quarantined or auto-quarantined, the processes will continue to run.
Example:
A file is allowed to run, then you decide to quarantine the file. When this setting enabled, the file is quarantined and the process is terminated, along with any child processes. If this setting is disabled, the file would be quarantined, but because the file was allowed to run, any processes started by the file could continue to run.
Background Threat Detection
A full disk scan is performed to detect and analyze any dormant threats on the disk. The full disk scan is designed to minimize impact to the end-user by using a low amount of system resources. The background threat detection scan can take up to one week, depending on how busy the system is and the number of files on the system that require analysis. The date and time that the most recent background scan completed is logged in the console.
You can choose to run the scan once to scan upon installation only, or set it to scan at a recurring interval that you specify. The default scan interval is 10 days. A significant upgrade to the detection model, like adding new operating systems, might also trigger a full disk scan. Note that increasing the frequency of the scans might impact the device performance.
It is recommended that you enable the
Background Threat Detection
setting to
Run Once
and enable
Watch for New Files
which watches for new and updated files on the disk. If you are watching for new and updated files, you need to check scan all existing files once only. Due to the predictive nature of the technology, periodic scans of the entire disk are not necessary but can be implemented for compliance purposes (for example, PCI compliance).
If background threat detection scans are running on several VM devices that are from the same VM host at the same time, device performance will be impacted. Consider incrementally enabling this feature for VM devices to limit the number of scans occurring at same time.
To manually run the scan, use one of the following commands:
  • On
    Windows
    devices:
    C:\Program Files\Cylance\Desktop\CylanceSvc.exe /backgroundscan
  • On
    macOS
    devices:
    /Applications/Cylance/CylanceUI.app/Contents/MacOS/CylanceUI -background-scan
  • On
    Linux
    devices:
    /opt/cylance/desktop/Cylance -b /opt/cylance/desktop/Cylance --start-bg-scan
Watch for New Files
This setting enables the agent to scan and analyze any new or modified files for dormant threats. If a threat is detected, the file is quarantined even though there wasn't an attempt to execute it. It is recommended that you enable this setting together with background threat detection (run once).
Auto Quarantine (execution control) mode blocks unsafe or abnormal files at execution. Therefore, it is not necessary to enable Watch for New Files when Auto Quarantine mode is also enabled, unless you prefer to quarantine a malicious file as soon as the agent detects the threat during a scan.
This setting might impact performance. Consider monitoring disk or message processing performance to see if it has changed. Excluding specific folders might improve performance and ensure that certain folders and files do not get scanned or analyzed by the agent.
Set Maximum Archive File Size to Scan
Specify the maximum archive file size that you want to agent to scan. This setting applies to
Background Threat Detection
and
Watch for New Files
settings. If you do not want to scan archive files, set the file size to 0 MB.
Exclude Specific Folders
This setting allows you to specify folders and subfolders that you want to exclude from being scanned through the
Background Threat Detection
and
Watch for New Files
features.
For
Windows
, use an absolute path with a drive letter. For example,
C:\Test
.
For
macOS
, use an absolute path from the root without a drive letter. For example,
/Applications/SampleApplication.app
.
For
Linux
, use an absolute path from the root without a drive letter. For example,
/opt/application
.
Example for Windows
:
C:\Test
Example for macOS (without spaces)
:
/Applications/SampleApplication.app
Example for macOS (with spaces)
:
/Applications/Sample\ Application.app
Example for Linux
:
/opt/application/
The * wildcard is also supported for folder exclusions. See Wildcards in protection settings folder exclusions for more information.
Exclusions are not applied retroactively. After the initial installation of the agent, the Background Threat Detection and Watch for New Files feature ignores files according to the exclusion list that it received. Adding an exclusion after the initial detection or conviction will not retroactively exclude the already detected or convicted files. Any files that were previously detected or convicted will remain in this state until locally waived or added to the Global Safe list.
For example, if Watch for New Files convicts a file named C:\Windows\ccmcache\test.exe and an exclusion is added later to the Protection Settings tab for C:\Windows\ccmcache\, the convicted file will remain convicted even though the folder was added as an exclusion. In this case, it will remain convicted until you waive the file locally or add it to the Global Safe List.
Allow Execution
Files that are executed from any folder are subject to Execution Control / Auto-Quarantine, even if they are specified in Exclude Specific Folders. You can enable the Allow Execution setting to allow files to be executed from folders specified in the Exclude Specific Folders list. This setting applies to all of the folders in the list, not just the first or last item entered.
Files and threats that are dropped into these folders will be allowed to execute and could compromise your device and organization. Take precautions to ensure that rogue files cannot be added to excluded folders.
Copy File Samples (Malware)
Specify a shared network drive to store copies of file samples found through background threat detection, watch for new files, and execution control. This allows you to do your own analysis of files that
CylancePROTECT Desktop
considers unsafe or abnormal.
  • CIFS/SMB network shares are supported.
  • Specify one network share location. You should use a fully qualified path. Example:
    \\server_name\shared_folder
    .
  • All files meeting the criteria are copied to the network share, even if they are duplicates. No uniqueness test is performed.
  • Files are compressed.
  • Files are password protected. The password is "infected".