Create a CylancePROTECT Desktop test policy
CylancePROTECT Desktoptest policy
You should implement
CylancePROTECT Desktoppolicy features in a phased approach to ensure performance and operations are not impacted. By default, when you create a device policy, policy features are not enabled and you must manually enable them. As you understand the types of threats that are logged in your environment and how the
CylancePROTECT Desktopagent behaves, you can gradually enable more policy features.
It is recommended that you test device policies on devices that include the applications that are used in your organization. It is important that the devices that you use to test device policies accurately represent the devices that are in your production environment, and not just a clean machine, to ensure that applications are allowed to run properly when policies are enforced through the
CylancePROTECT Desktopagent. For example, you might select a subset of devices in your production environment that include all applications (proprietary and custom) that users need for their daily activities.
The agent uses execution control and process monitoring to analyze running processes only. This includes all files that run at startup, that are set to auto-run, and that are manually executed by the user. The agent only sends alerts to the management console. By default, no files are blocked or quarantined.
- In the management console, clickPolicies > Device Policy > Add new policy.
- In thePolicy Namefield, type a name for the test policy.
- EnableAuto Uploadto analyze and send suspicious files to theCylancePROTECTcloud services for further analysis.
- In theFile Actionstab, in theAuto Uploadsection, select all the file types that are available.
- ClickCreateto create the initial test policy.
- Assign the initial test policy to theCylancePROTECT Desktopendpoints that you are using for testing.
- Allow the devices that are assigned to the test policy to run for at least one day to allow applications and processes that are typically used on the device to run and be analyzed. You may want to consider any required applications that run periodically on a device (for example, once a week) that may need to be monitored outside of this test run.
- While testing the policy, navigate to theProtection > Threatsscreen in the management console to view a list of applications and processes thatCylancePROTECTconsiders to be a threat (abnormal or unsafe) and identify the ones that should be allowed to run on the endpoint. You can click a threat to view more information about it and download the malicious file to perform your own threat research. The malicious file is unaltered but renamed using the SHA256 hash without a file extension to prevent the accidental detonation of it. If you rename it to include the original file extension, the malicious file may be run. No personally identifiable information is shared with the console or with other tenants or organizations.
- Navigate toPolicies > Device Policyand edit the device policy to allow specific applications and processes to run on endpoints that have this policy assigned to them. You can add files to thePolicy Safe Listsection in theFile Actionstab.You may also quarantine or waive files on specific devices or all devices in your organization. For more information, see Managing safe and unsafe lists for CylancePROTECT Desktop.
- Edit the device policy to enable the background threat detection scans to analyze executable files on the disk that may be dormant threats.
- In theProtection Settingstab, enable theBackground Threat Detectionsetting and select theRun Onceoption. Although periodic scanning is not necessary due to the predictive abilities of the solution, you may selectRun Recurringto enable it, for example, for compliance purposes.
- Enable theWatch For New Filessetting. This setting may negatively impact performance on the device. Adding folder exclusions may help reduce the impact.
- To exclude specific folders from background threat detection, selectExclude Specific Folders (includes subfolders)and specify the folders to exclude. To allow the execution of files in the folders that you specified, selectAllow execution. For more information about these fields, see Protection settings.
- ClickSaveto save the policy.
- Test the policy again and make sure that any applications that users are required to use are allowed to run. Background threat detection scanning may take up to one week, depending on how busy the system is and the number of files that require analysis. If necessary, make sure to add files to the policy safe list, global safe list, or waive them for individual devices. You can also exclude the folder containing the file in the protection settings.
- Edit the device policy to kill unsafe processes that are running on the system. For example, when a threat is detected in an executable file (.exe or .msi) and it is considered to be unsafe, this setting kills running processes and their sub-processes.
- In theProtection Settingstab, enable theKill Unsafe Running Processessetting.
- Edit the policy to enable the auto-quarantine settings for unsafe and abnormal files.
- In theFile Actionstab, under theUnsafetable column, enable theAuto Quarantinesetting besideExecutableto automatically move unsafe files to the quarantine folder on the device. Unsafe files have malware attributes and are likely to be malware.
- UnderAbnormal, enableAuto Quarantineto automatically move abnormal files to the quarantine folder on the device. An abnormal file has fewer malware attributes than an unsafe file and is less likely to be malware.
- Edit the policy to enable memory protection settings to handle memory exploits, process injections, and escalations.
- In theMemory Actionstab of the device policy, enableMemory Protectionand set the violation types toAlert. When a violation type is set to alert and a threat of that type is detected, the agent sends information to the console but does not block or terminate any processes running in the device memory.
- While testing the policy, navigate to theProtection > Memory Protectionscreen in the console to view a list of memory protection alerts for processes may be a threat.
- If you determined that any of the processes are safe for daily business activities, you can add exclusions for the processes that you want to allow to run. In theMemory Actionstab of the device policy, clickAdd exclusionand specify the relative path to the file.
- After you have specified the exclusions for processes that you want to allow to run, set the action toBlockfor all violation types. When a violation type is blocked, the agent sends information to the console and blocks the malicious process from running in the memory. The application that called the malicious process is allowed to continue to run.
- Edit the policy to enable the device control settings. This example demonstrates how to block access to all device types and allow the exceptions, but you may choose to allow full access to all device types and block the exceptions instead.
- In theDevice Controltab of the device policy, enable theDevice Controlpolicy.
- Set the access level for each of the USB device types toFull Access.
- Save the policy.
- On the test device, insert a USB device.
- In the management console, navigate toProtection > External Devicesand identify the vendor ID, product ID, and serial number of any devices that you want to allow. Not all manufacturers use a unique serial number with their products; some manufacturers use the same serial number for multiple products.
- In theDevice Controltab of the device policy, in theExternal Storage Exclusion Listsection, clickAdd deviceto add any devices that you want to allow.
- Once testing is complete, set the access level for each of the device types toBlock. You can add any exclusions as needed.
- Edit the policy to enable the script control settings. The suggested testing time is 1 to 3 weeks.
- In theScript Controltab of the device policy, enable theScript Controlpolicy.
- Set the policy for each of the script types toAlert. The longer the time script control is set to alert, the more likely you are to find infrequently run scripts used in the organization.Enabling the script control setting can cause a high-volume of events if scripts are used to manageActive Directorysettings.
- Navigate toProtection > Script Controland identify the scripts that were run on devices that you want to allow.
- In theScript Controltab of the device policy, in theExclude Files, Scripts or Processessection, clickAdd exclusionand specify a relative process path of the scripts that you want to allow (for example,\Cases\AllowedScripts).
- After you have added the exclusions for scripts that you want to allow to run, you can set the policy for each of the script types toBlock.