Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
- Create a CylancePROTECT Mobile policy
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
  - CylanceOPTICS sensors
  - Data structures that CylanceOPTICS uses to identify threats
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Integrating Cylance Endpoint Security with Microsoft Intune to respond to mobile threats
- Connect Cylance Endpoint Security to Intune
- Create a risk assessment policy
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Script control

Script control protects

Windows

devices by blocking malicious scripts from running. The agent can detect the script and script path before the script is executed. You can set the policy to block scripts from running and only allow scripts that are added to the exclusion list to run.

Item	Description
Action	For each type of script, you can select one of the following actions: Alert : This action allows all scripts to run. Use this setting when you want to monitor and observe all scripts that are running in your environment. This setting is recommended for initial deployment while you determine which scripts you want to allow or block. Block : This action blocks all scripts from running. Only files that are added to the exclusion list are allowed to run. Use this setting after testing and monitoring for threats in alert mode. You can find script control alert and block events in the Protection > Script Control screen.
Active Script	This setting controls whether you want to allow Active Scripts to run, or block them from running. Active Scripts include VBScript and JScript. For agent version 1.2.1370 and earlier, there is one action setting for both Active Script and PowerShell. For agent 1.2.1380 and later, you need to set them individually.
PowerShell	This setting controls whether you want to allow scripts to run, or block them from running. For agent version 1.2.1370 and earlier, there is one action setting for both Active Script and PowerShell. For agent version 1.2.1380 and later, you need to set them individually.
Block PowerShell console usage	This setting controls whether you want to block the PowerShell console from launching for devices running agent version 1.2.1380 or later. Blocking the PowerShell console provides additional security by protecting against the use of PowerShell one-liners. This setting is available when the action for PowerShell scripts are set to Block . When the PowerShell control is set to alert mode, the agent does not send alerts for PowerShell console usage. If you use a script that launches the PowerShell console, and Block PowerShell console usage is enabled, the script fails. If possible, it is recommended that users change their scripts to invoke the PowerShell scripts, not the PowerShell console. You can do this using the -file switch. A basic command to run a PowerShell script without invoking the console would be: Powershell.exe -file [script name]
Macros (2.1.1578 and earlier)	This setting controls whether to alert or block Microsoft Office macros. Macros use Visual Basic for Applications (VBA) which allows embedding code inside a Microsoft Office document (typically Microsoft Word , Excel , and PowerPoint ). The main purpose for macros is to simplify routine actions, like manipulating data in a spreadsheet or formatting text in a document. However, malware creators can use macros to run commands and attack the system. It is assumed that a macro is performing a malicious action when it tries to manipulate the system. The agent looks for malicious actions originating from a macro that affects anything outside the Microsoft Office products. The script control macros feature works with agent version 1578 and earlier. For newer agents, use the Dangerous VBA Macros violation type in the memory protection policy. Any macro exclusions created for script control must be added to the memory protection exclusions for the Dangerous VBA Macros violation type. Starting with Microsoft Office 2013, macros are disabled by default. Most of the time, you do not need to enable macros to view the content of an Microsoft Office document. You should only enable macros for documents you receive from users you trust, and you have a good reason to enable it. Otherwise, macros should always be disabled.
Python	This setting controls whether to allow Python scripts (version 2.7 and 3.0 to 3.8), or block them from running. This setting is valid for agent 1580 or later.
.NET DLR	This setting controls whether to allow .NET DLR scripts to run, or block them from running. This setting is valid for agent 1580 or later.
XLM Macros (Preview)	The XLM Macros feature is currently available in Preview mode where it might behave unexpectedly. This setting controls whether CylancePROTECT Desktop allows Excel 4.0 (XLM) macros to run, or blocks them from running. When macros are enabled and executed, the Microsoft AMSI interface communicates with the agent to determine whether to allow the macro to run or to block it according to the device policy. This feature requires the following: Microsoft Windows 10 or later CylancePROTECT Desktop agent version 3.1 VBA macros must be disabled in the Excel File > Trust Center > Excel Trust Center > Macro Settings menu.
Disable Script Control	You can specify whether to disable script control for certain script types. When you disable script control, scripts are allowed to run and you do not receive alerts.
Exclude Files, Script or Processes	You can specify folders to allow any script in that folder (and sub-folders) to execute without generating an alert, even when script controls are set to block. You can also add exclusions for processes to allow scripts from certain applications to run properly that would otherwise be blocked. For example, if the IT department uses specific tools to run scripts all the time, you can add the process for that tool as an exclusion so that scripts can be run through that tool. You specify the relative path of the folder or sub-folder. The folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path. Excluding folders and scripts Folder exclusions cannot contain the script or macro file name. These entries are not valid and the agent ignores them. If you want to exclude a specific script, you must use a wildcard. For more information about how to use wildcards to exclude specific scripts, see Wildcards in script control exclusions. If the “Everyone” group in your organization has write permissions to a folder, anyone inside or outside of the organization can drop a script in the folder and write to it. CylancePROTECT Desktop will continue to send alerts on scripts and block them. The write permissions apply not only to the direct parent folder, but also to all parent folders, all the way to the root. Excluding processes Process exclusions require agent version 2.1.1580 or later. The executable in the process exclusion may be quarantined by execution control and therefore blocked from running. If the executable is quarantined, you need to add it to the Policy Safe List in the File Actions tab. Process exclusions continue to allow scripts to run and does not restrict them from running from the specified folder.

Section:

Using device policies to manage CylancePROTECT Desktop devices

Wildcards in script control exclusions

Examples of script control exclusions