Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
  - Generate a new SSO callback URL
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Connecting Cylance Endpoint Security to external services
- Integrating Cylance Endpoint Security with Okta
  - Prerequisites for adding an Okta connector
  - Add and configure an Okta connector
- Integrating Cylance Endpoint Security with Mimecast
  - Prerequisites for adding a Mimecast connector
  - Add and configure a Mimecast connector
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Examples of script control exclusions

Adding exclusions for dynamic scripts that are run from a specific directory location or for a script that is run from multiple different user folders is possible by using wildcards in script control exclusions. As an example, you can use the token “*” in the exception path to ensure it covers your variants.

The following table includes some example exclusions with matches that would be successfully excluded, and non-matches that won't be excluded.

Exclusion example	Matches	Non-matches
/users//temp/	\users\john\temp \users\jane\temp	\users\folder\john\temp \users\folder\jane\temp These folders won't be excluded because the number of folder levels don't match.
/program files/app/script.vbs	\program files(x86)\app\script1.vbs \program files(x64)\app\script2.vbs \program files(x64)\app\script3.vbs	\program files(x86)\app\script.vbs \program files\app\script1.vbs These folders won't be excluded because wildcards represent one or more characters.
//example.local/sysvol/script.vbs	\\ad.example.local\sysvol\script1.vbs	\\ad.example.local\sysvol\script.vbs This script won't be excluded because wildcards represent one or more characters.
/users///*.vbs	/users/john/temp/script.vbs /users/john/temp/anotherscript.vbs	/users/john/temp1/temp2/script.vbs This script won't be excluded because the number of folder levels don't match.

Process Exclusion

You can add processes to the list of script control exclusions. This feature can be useful if you want to exclude specific processes that may be calling scripts. For example, you can exclude SCCM to allow it to launch PowerShell scripts in a temporary directory. A process is any process that calls a script interpreter to run a script.

The following example allows the myfile.exe process to call an interpreter (such as PowerShell.exe) to run a script.

/windows/*/myfile.exe

The following examples add myprocess.exe to the exclusion list so that it is allowed to run regardless of its folder path:

\myprocess.exe

(on a local Windows drive)

\\myprocess.exe

(on a network Windows drive)

The following example adds myprocess.exe to the exclusion list so that it is only allowed to run from a specific folder path:

\directory\child\myprocess.exe

(on a local Windows drive)

\\directory\child\myprocess.exe

(on a network Windows drive)

Absolute paths are not supported for exclusions.

Ancestors are not supported.

When an executable file (exe) is added to an exclusion, /[CySc_process]/ is automatically added to the exclusion. If you added the above example exclusion, the result would be: /[CySc_process]/ /windows/*/myfile.exe.

Alternative options for exclusions for script control

You can use the global safelist or add a certificate as an alternative method to excluding scripts.

Add a file to the CylancePROTECT Desktop global quarantine or global safe list

This method requires a SHA256 hash value and assumes that this value won't change. Updates to the script or changes made by the script by design causes the hash value to change. Therefore, this method requires more administrative work to maintain if the script or macro is frequently updated or changes programmatically (for example, appends a new date or time, or makes system requests, pulls data). Each time the

CylancePROTECT Desktop

agent reports a script to the management console, it must report a SHA256 hash value. Each time the hash value changes, the agent reports the new value and you need to add the new value to the global safe list. If a hash value cannot be generated (for example, if the script doesn't execute properly, the file doesn't exist, or there are permission issues), then a generic hash is used when the script is reported to the console.

The following SHA256 hash value is a generic hash that the

CylancePROTECT Desktop

agent uses when a hash cannot be generated for a script. If you try to add this value to the global safe list, an error message displays due to the agent functionality.

FE9B64DEFD8BF214C7490AA7F35B495A79A95E81F8943EE279DC99998D3D3440

The following SHA256 hash value is a generic hash that the

CylancePROTECT Desktop

agent uses when a PowerShell one-liner is used and a hash cannot be generated for a script. If you try to add this value to the global safe list, an error message displays due to the agent functionality.

FE9B64DEFD8BF214C7490BB7F35B495A79A95E81F8943EE279DC99998D3D3440

Add a certificate to the CylancePROTECT Desktop global safe list

This method requires you to submit a valid code signing certificate to the console and is only available for PowerShell and Active scripts (not macros).

Section:

Script control