Cylance Endpoint Security

proxy requirements

If you want to configure both the
CylancePROTECT Desktop
agent and the
CylanceOPTICS
agent on a device to use a proxy server for outbound communication to
BlackBerry
servers, in the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop and create String Value REG_SZ:
Value Name = ProxyServer
Value Data =
<proxyIP:port>
(for example, http://123.45.67.89:8080)
The proxy must accept unauthorized requests. SSL inspection is not supported and must be bypassed for all agent traffic (*.cylance.com).
For
Windows
environments, if you configured system wide proxy settings in HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings, you must specify the ProxyServer registry key value using
<proxyIP:port>
, or the value must start with http:// instead of https:// (HTTPS proxy connections are supported but the registry value must not start with https://).

The
CylanceOPTICS
agent is proxy aware and will query the .NET framework to identify and use the available proxy settings. If you configured the ProxyServer value in the registry, the
CylanceOPTICS
agent will use the specified proxy. The
CylanceOPTICS
agent will try to communicate first as the Local System, then as the currently logged in user.
If you configure the
CylanceOPTICS
agent to use a proxy and the agent cannot communicate with the cloud services, the agent will attempt to bypass the proxy to make a direct connection. On
Windows
and
macOS
devices, you can disable this proxy bypass. Do the following before you install the
CylanceOPTICS
agent:
Platform	Steps
Windows	In HKLM\SOFTWARE\Cylance\Optics\, create String Value REG_SZ: Value Name = DisableProxyBypass Value Data = True
macOS	In /Library/Application Support/Cylance/Desktop/registry/LocalMachine/Software/Cylance/Desktop/, add the following to the values.xml file: <value name=“ProxyServer” type=“string”>http:// proxy_server_IP : port </value> In /Library/Application Support/Cylance/Optics/Configuration, create an ExternalConfig.xml file with the following: <?xml version=“1.0” encoding=“utf-8”?><EnforceProxyServer>true</EnforceProxyServer>
When
CylanceOPTICS
creates a detection event that involves a signed file as an artifact, it uses a command from the
Windows
API to validate the signature or certificate. The command sends a validation request to an OCSP server. The OCSP server address is determined by
Windows
. If your proxy server reports attempts to send external traffic to an OCSP server, update the proxy settings on devices to allow connections with the OCSP server.

Replace all instances of "cylancesvc" with "cyoptics"
Duplicate each http_proxy line and replace "http_proxy" with "https_proxy". In most cases https_proxy will use the same value as http_proxy because HTTPS traffic is tunneled using TCP Connect, but if your organization uses an HTTPS termination proxy server, specify the appropriate value for https_proxy.

mkdir /etc/systemd/system/cylancesvc.service.d
echo "[Service]" > /etc/systemd/system/cylancesvc.service.d/proxy.conf
echo "Environment=http_proxy=http://proxyaddress:port" >> /etc/systemd/system/cylancesvc.service.d/proxy.conf
systemctl stop cylancesvc
systemctl daemon-reload
systemctl start cylancesvc

mkdir /etc/systemd/system/cylancesvc.service.d
echo "[Service]" > /etc/systemd/system/cylancesvc.service.d/proxy.conf
echo "Environment=http_proxy=user:password@proxyaddress:port" >> /etc/systemd/system/cylancesvc.service.d/proxy.conf
systemctl stop cylancesvc
systemctl daemon-reload
systemctl start cylancesvc