Device policy: Malware Protection settings

When enabled,

CylancePROTECT Desktop

will automatically quarantine unsafe files when they try to execute on a device. Once enabled, you can also choose whether to auto-quarantine abnormal executables when they try to execute (Auto-quarantine abnormal executables with execution control).

Unsafe files contain significantly more malware attributes and are more likely to be malware than abnormal files.

When a file is quarantined, it is renamed with a .quarantine extension and moved to the quarantine directory:

Windows
: C:\ProgramData\Cylance\Desktop\q
macOS
: /Library/Application Support/Cylance/Desktop/q
Linux
: /opt/cylance/desktop/q

The Access Control List (ACL) for the file is modified to prevent the user from interacting with the file.

Some malware is designed to create files in other directories and continues to do so until it is successful. Instead of removing the files,

CylancePROTECT Desktop

modifies them so that the malware doesn't try to create them again and so that they cannot be executed.

When enabled, the

CylancePROTECT Desktop

agent will stop all unsafe running processes and child processes when it detects a .exe or .dll threat. This offers a high level of control over malicious processes that might be running on a device.

The file must be auto-quarantined, manually quarantined, or quarantined using the global quarantine list. This feature must be enabled before the file is quarantined. If this feature is enabled but the file is not quarantined or auto-quarantined, the processes will continue to run.

For example, a file is allowed to run, then you decide to quarantine the file. When this setting enabled, the file is quarantined and the process is terminated, along with any child processes. If this setting is disabled, the file would be quarantined, but because the file was allowed to run, any processes started by the file could continue to run.

When enabled,

CylancePROTECT Desktop

will automatically upload unfamiliar executable files that it detects to the

CylancePROTECT

cloud services to perform a deeper analysis of the file and provide additional data on the detection to assist with manual analysis and triage.

CylancePROTECT Desktop

only uploads and analyzes unknown files such as Portable Executable (PE), Executable and Linkable Format (ELF) and Mach Object file format (Mach-O) files. If the same unknown file is discovered on multiple devices,

CylancePROTECT Desktop

uploads one file only from a single device for analysis, not one file per device.

When enabled, you specify a fully qualified network share (\\server_name\shared_folder) to store copies of file samples that are detected by Background threat detection, Watch for new files, and Auto-quarantine with execution control. This allows you to conduct your own analysis of files that

CylancePROTECT Desktop

considers to be unsafe or abnormal.

CIFS/SMB network shares are supported. All files that meet the unsafe or abnormal criteria are copied. No uniqueness test is performed. Files are compressed and password protected. The password is "infected".

Add files that your organization considers to be safe to the policy safe list to allow them to run on devices. The policy safe list takes precedence over the global safe list or global quarantine list.

For more information about the policy safe list, see Exclusions and when to use them.

When enabled, the

CylancePROTECT Desktop

agent performs a full disk scan on a specified interval to detect and analyze any dormant threats.

The scan is designed to minimize impact to the device user by using a low amount of system resources. The background threat detection scan can take up to one week, depending on how busy the system is and the number of files on the system that require analysis. The date and time of the most recent completed scan is recorded in the management console.

You can specify whether you want the scan to occur only once after the agent is installed, or on a recurring interval that you specify (default 10 days). Increasing the scan frequency may impact device performance. A significant update to the agent’s detection model (for example, adding support for a new OS) can trigger a full disk scan.

It is a best practice to set background threat detection to run once and to enable Watch for new files. Periodic scans of the entire disk are not necessary, but can be implemented for compliance purposes (for example, for PCI compliance).

If background threat detection scans are running on several VM devices that are from the same VM host at the same time, device performance will be impacted. Consider incrementally enabling this feature for VM devices to limit the number of scans occurring at the same time.

To manually start a background threat detection scan on a device, use one of the following commands:

Windows

:

C:\Program Files\Cylance\Desktop\CylanceSvc.exe /backgroundscan

macOS

:

/Applications/Cylance/CylanceUI.app/Contents/MacOS/CylanceUI -background-scan

Linux

:

/opt/cylance/desktop/Cylance -b
/opt/cylance/desktop/Cylance --start-bg-scan

When enabled, the

CylancePROTECT Desktop

agent scans and analyzes any new or modified files for dormant threats. If a threat is detected, the file can be quarantined (per the Auto-quarantine setting) even if there was no attempt to execute it. It is recommended that you enable this setting together with Background threat detection (run once).

Auto-quarantine with execution control blocks unsafe or abnormal files when they try to execute, while Watch for new files can quarantine unsafe or abnormal files when they are detected. It is not necessary to enable Watch for new Files when Auto-quarantine is also enabled, unless you prefer to quarantine a malicious file as soon as the agent detects the threat during a scan.

This setting might impact device performance. Consider monitoring disk or message processing performance to see if it has changed. Excluding specific folders might improve performance and ensure that certain folders and files do not get scanned or analyzed by the agent.

This setting is available if Background threat detection or Watch for new files are enabled.

You can specify the maximum size of an archive file, in MB, that the

CylancePROTECT Desktop

agent can scan (Background threat detection and Watch for new files). If the file size is set to 0 (the default value), archive files are not scanned.

This setting is available if Background threat detection or Watch for new files are enabled.

You can specify folder and subfolder paths that you want to exclude from scanning (Background threat detection and Watch for new files):

For
Windows
, use an absolute path with a drive letter. For example, C:\Test.
For
macOS
, use an absolute path from the root without a drive letter. For example,
/Applications/SampleApplication.app
.
For
Linux
, use an absolute path from the root without a drive letter. For example,
/opt/application
.

You can turn on the Allow execution setting if you also want to exclude the specified folder paths from Auto-quarantine with execution control. Note that files and threats that are dropped into exclusion folders will be allowed to execute and could compromise your device and organization. Take precautions to ensure that rogue files cannot be added to excluded folders.

Exclusions are not applied retroactively. Adding an exclusion after an initial detection or conviction will not retroactively exclude the files. Any files that were previously detected or convicted will remain in that state until locally waived or added to the global safe list.

See the details below for using wildcards for folder exclusions.