Policy JSON view Skip Navigation

Policy JSON view

The JSON view displays the policy as a JSON file. This is the same format used for the Policy API.
user_id
Your unique console ID. To get your user ID, do one of the following:
  • Use the
    Cylance
    API (Get Users)
  • In the console, go to User Management, view your user details, your user ID is at the end of the URL
checksum
Use an empty value. This is required when creating a policy.
device_control
Device control allows or blocks access to USB mass storage devices.
Item
Description
control_mode
  • Block
    blocks the USB device from connecting to the endpoint
  • FullAccess
    allows the USB device to connect to the endpoint
device_class
All device_class entries must be included in the request.
  • AndroidUSB
    is a portable device running Android OS, like a smartphone or tablet
    An Android device could connect and be identified as Android, Still Image, or Windows Portable Device. If you want to block Android devices, consider blocking Still Image and Windows Portable Device as well.
  • iOS
    is an Apple portable device running iOS, like an iPhone or iPad
    iOS devices will not charge when Device Control is enabled and set to Block, unless the Apple device is powered off. Apple includes their charging capability within functions of the device that are required for our iOS device blocking capability. Non-Apple devices do not bundle their charging capability in this manner and are not impacted.
  • StillImage
    is the device class containing scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers
  • USBCDDVDRW
    is a USB optical drive
  • USBDrive
    is a USB hard drive or USB flash drive
  • VMWareMount
    is the VMware USB Passthrough, which allows a VMware virtual machine client to access USB devices connected to the host
  • WPD
    is a Windows Portable Device, which uses the Microsoft Windows Portable Device driver technology, such as mobile phones, digital cameras, and portable media players
exclusion_list
The device control exclusion list that allows or blocks access to specific USB mass storage devices
  • comment
    adds detail about the exclusion; this information is optional
  • control_mode
    allows or blocks the specific USB mass storage device
    • Block
      blocks the USB mass storage device from connecting to the endpoint
    • FullAccess
      allows the USB mass storage device to connect to the endpoint
  • product_id
    is the product identifier for the USB mass storage device; this information is optional
  • serial_number
    is the serial number for the USB mass storage device; this information is optional
  • vendor_id
    is the vendor identifier for the USB mass storage device; this information is optional
    One way to find the Vendor ID for a USB mass storage device is to enable device control in a policy, assign that policy to an device, then attach the USB mass storage device to the device. You can view external device logs in the
    Cylance
    console, on the Protection page or the Device Details page (External Devices tab).
Example
"exclusion_list": [ { "vendor_id": "1234", "comment": "Test device control exclusion", "serial_number": "987654321", "product_id": "5678:, "control_mode": "FullAccess" } ]
file_exclusions
Adds file exclusions to the Policy Safe List, under File Actions. The policy safe list are file exclusions specific to the policy, and any devices assigned to the policy will allow the excluded files to run.
Item
Description
category_id
A list of categories to identify the type of file; this information is optional
  • 1 - None
  • 2 - AdminTool
  • 3 - InternalApplication
  • 4 - CommercialSoftware
  • 5 - OperatingSystem
  • 6 - Drivers
  • 7 - SecuritySoftware
file_hash
The SHA256 hash for the file; this information is optional
file_name
The name of the file being excluded; this information is optional
md5
The MD5 hash for the file; this information is optional
reason
The reason the file was excluded; this information is optional
Example
"file_exclusions": [ { "reason": "Test Exclusion", "category_id": "2", "md5": "d41d8cd98f00b204e9800998ecf8427e", "file_hash": "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52", "file_name": "filename" } ]
filetype_action
The auto-quarantine of unsafe (threat_files_) and abnormal (suspicious_files)
Item
Description
actions
Allows setting auto-quarantine and auto-upload to enabled or disabled
  • 0 - Auto-quarantine OFF, auto-upload OFF
  • 1 - Auto-quarantine ON, auto-upload OFF
  • 2 - Auto-quarantine OFF, auto-upload OFF
    Use 2 for suspicious_files when threat_files is set to 3 and auto-quarantine for suspicious_files is disabled.
  • 3 - Auto-quarantine ON, auto-upload ON
file_type
Only has "executable" as an option
suspicious_files
These are abnormal files
threat_files
These are unsafe files
logpolicy
The agent log file settings.
Item
Description
log_upload
  • null - Disabled
  • 1 - Enabled
maxlogsize
The maximum file size (in MB) for a single agent log file
retentiondays
The number of days to save agent log files; log files older than the set number of days will be deleted
memoryviolation_actions
The violation types for memory protection.
All memory_violations and memory_violations_ext must be included in the request.
Item
Description
Action
  • None
    means no action is taken when a memory violation is triggered
  • Alert
    means an alert will display in the console but no action is taken on the memory violation
  • Block
    means the memory violation is blocked and an alert will display in the console; the process that triggered the memory violation is not terminated
  • Terminate
    means the memory violation is blocked, the process that triggered the memory violation is terminated, and an alert will display in the console
memory_violations
  • lsassread
    (LSASS Read) - The memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords.
  • outofprocessallocation
    (Remote Allocation of Memory) - A process has allocated memory in another process. Most allocations will only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system.
  • outofprocesscreatethread
    (Remote Thread Creation) - A process has created a new thread in another process. A process’s threads are usually only created by that same process. This is generally used by an attacker to activate a malicious presence that has been injected into another process.
  • outofprocessmap
    (Remote Mapping of Memory) - A process has introduced code and/or data into another process. This may indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence.
  • outofprocessoverwritecode
    (Remote Overwrite Code) - A process has modified executable memory in another process. Under normal conditions, executable memory will not be modified, especially by another process. This usually indicates an attempt to divert execution in another process.
  • outofprocessunmapmemory
    (Remote Unmap of Memory) - A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution.
  • outofprocesswrite
    (Remote Write to Memory) - A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation), but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose.
  • outofprocesswritepe
    (Remote Write PE to Memory) - A process has modified memory in another process to contain an executable image. Generally, this indicates that an attacker is attempting to execute code without first writing that code to disk.
  • overwritecode
    (Overwrite Code) - The code residing in a process’s memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP).
  • stackpivot
    (Stack Pivot) - The stack for a thread has been replaced with a different stack. Generally, the system will only allocate a single stack for a thread. An attacker would use a different stack to control execution in a way that is not blocked by Data Execution Prevention (DEP).
  • stackprotect
    (Stack Protect) - The memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt which would otherwise be blocked by Data Execution Prevention (DEP).
memory_violations_ext
  • dyldinjection
    (DYLD Injection) - An environment variable has been set that will cause a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts, causing their modules to be loaded automatically when an application starts.
  • maliciouspayload
    (Malicious Payload) - A generic shellcode and payload detection associated with exploitation has been detected.
  • trackdataread
    (RAM Scraping) - A process is trying to read valid magnetic stripe track data from another process. Typically related to point of sale systems (POS).
  • zeroallocate
    (Zero Allocate) - A null page has been allocated. The memory region is typically reserved, but in certain circumstances, it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel.
memory_exclusion_list
These are the executable files to exclude from memory protection. This must be a relative path to the excluded executable file.
Example
"memory_exclusion_list": [ "\\temp" ]
policy
Various policy settings are contained within this section. Some policy settings are enabled under the policy section and configured in a different section, like device_control and logpolicy.
Item
Description
auto_blocking
Enables or disables the Auto Quarantine setting for Unsafe and Abnormal files.
  • 0 - Disabled
  • 1 - Enabled
    filetype_actions must also be set for unsafe (threat_files) and abnormal (suspicious_files) files.
auto_delete
Setting to automatically delete quarantined files after a set number of days.
  • 0 - Disabled
  • 1 - Enabled
    If this feature is enabled, set days_until_deleted for the number of days to retain a quarantined file.
auto_uploading
Setting to automatically upload files that
Cylance
has not seen before.
Cylance
will perform an analysis on the file and provide details to assist in manual analysis and triage.
  • 0 - Disabled
  • 1 - Enabled
    filetype_actions must also be set for unsafe (threat_files) and abnormal (suspicious_files) files for Auto-Upload.
autoit_auto_uploading
The value is 0.
custom_thumbprint
The vaule is null.
days_until_deleted
Setting for the number of days to retain a quarantined file. Quarantined files older than the set number of days will be automatically deleted.
  • The minimum number of days is 14
  • The maximum number of days is 365.
To use the days_until_deleted feature, the auto_delete setting must be enabled.
device_control
Setting to enable or disable the device control feature.
docx_auto_uploading
The value is 0.
full_disc_scan
Setting to have
Cylance
analyze all executable files on disk to detect any dormant threats. This is the Background Threat Detection (BTD) setting.
  • 0 - Disabled
  • 1 - Run recurring (performs a scan every nine days)
  • 2 - Run once (runs a full disk scan upon installation only)
kill_running_threats
Setting to kill processes and sub-processes regardless of the state when a threat is detected (exe or dll).
logpolicy
The value is 0.
low_confidence_threshold
Setting to adjust the score threshold between unsafe and abnormal files. The default is -600.
  • A score of -600 to -1000 is unsafe.
  • A score of 0 to -599 is abnormal.
  • A score greater than 0 is safe.
memory_exploit_detection
Setting to enable or disable the memory protection feature.
  • 0 - Disabled
  • 1 - Enabled
Also set the memoryviolation_actions (memory_violations, memory_violations_ext, and memory_exclusion_list).
ole_auto_uploading
The value is 0.
optics
Setting to enable or disable
CylanceOPTICS
.
  • 0 - Disabled
  • 1 - Enabled
Also set the other
CylanceOPTICS
settings (optics_).
optics_application_control_auto_upload
Setting to allow the automatic uploading of application control related to focus data.
  • 0 - Disabled
  • 1 - Enabled
optics_malware_auto_upload
Setting to allow the automatic uploading of threat related focus data.
  • 0 - Disabled
  • 1 - Enabled
optics_memory_defense_auto_upload
Setting to allow the automatic uploading of memory protection related focus data.
  • 0 - Disabled
  • 1 - Enabled
optics_script_control_auto_upload
Setting to allow the automatic uploading of script control related focus data.
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_advanced_executable_parsing
Setting to enable recording data fields associated with portable executable (PE) files, such as file version, import functions, and packer types. This is Enhanced Portable Executable Parsing in the policy settings.
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_advanced_powershell_visibility
Setting to enable recording commands, arguments, scripts, and content entered directly into the Powershell console and the Powershell Integrated Script Environment (ISE).
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_advanced_wmi_visibility
Setting to enable recording additional Windows Management Instrumentation (WMI) attributes and parameters.
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_dns_visibility
Setting to enable recording commands and arguments of commands issued directly or indirectly to the Windows Management Instrumentation (WMI) interpreter.
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_enhanced_process_hooking_visibility
Setting to enable recording process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_private_network_address_visibility
Setting to enable recording network connections within the RFC 1918 and RFC 3419 address spaces.
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_windows_event_log_visibility
Setting to enable recording Windows Security Events and their associated attributes.
  • 0 - Disabled
  • 1 - Enabled
optics_sensors_intel_cryptomining_detection
Setting to enable recording CPU activity using hardware registers for potential cryptomining and cryptojacking activites.
  • 0 - Disabled
  • 1 - Enabled
optics_set_disk_usage_maximum_fixed
Setting the maximum amount of device storage reserved for use by
CylanceOPTICS
, in MB. The minimum value is 500 and the maximum value is 1000.
optics_show_notifications
Setting to enable or disable desktop notifications on the device for
CylanceOPTICS
events.
  • 0 - Disabled
  • 1 - Enabled
pdf_auto_uploading
The value is 0.
powershell_auto_uploading
The value is 0.
prevent_service_shutdown
Setting that protects the
Cylance
service from being shutdown, either manually or by another process.
  • 0 - Disabled
  • 1 - Enabled
python_auto_uploading
The value is 0.
sample_copy_path
Setting to copy all file samples to a network share (CIFS/SMB).
Example
{ "name": "sample_copy_path", "value": "\\\\server_name\\shared_folder" }
scan_exception_list
Setting to exclude specific folders and subfolders from being scanned by full_disc_scan and watch_for_new_files. Set the value to the absolute path for the excluded files.
Example
{ "name": "scan_exception_list", "value": [ "c:\\temp" ] }
scan_max_archive_size
Setting for the maximum archive file size (in MB) to be scanned.
  • The value can be 0 to 150.
  • If set to 0, then archive files will not be scanned.
script_control
Setting to enable or disable the script control feature.
  • 0 - Disabled
  • 1 - Enabled
show_notifications
Setting to enable or disable desktop notifications on the device for
CylancePROTECT Desktop
events.
  • 0 - Disabled
  • 1 - Enabled
threat_report_limit
The number of threats to upload to the console.
trust_files_in_scan_exception_list
Setting to allow execution of files in the excluded folders. This is related to the scan_exception_list.
  • 0 - Disabled
  • 1 - Enabled
watch_for_new_files
Setting to analyze new or modified executable files for threats.
  • 0 - Disabled
  • 1 - Enabled
policy_name
This is the name of the policy. The name must be unique in your tenant.
script_control
These are the policy settings for script control.
script_control must be enabled (set to 1) under policy.
Item
Description
activescript_settings
  • control_mode
    - These are the settings for active script.
    • Alert
      - An alert is sent when an active script event occurs. The active script is allowed to run.
    • Block
      - The active script is blocked and an alert is sent.
global_settings
  • allowed_folders
    - The relative path to scripts that are allowed to run when script control is enabled. Example:
    "allowed_folders": [ "\\temp_scriptcontrol" ]
  • control_mode
    - Setting to enable or disable script control for agent version 1370 or lower. To use script control with macros, use agent version 1380 or later.
    • Allow
      - An alert is sent when an active script or Powershell event occurs. The script is allowed to run.
    • Block
      - The active script or Powershell is blocked and an alert is sent.
macro_settings
  • control_mode
    - Settings for Microsoft Office macros.
    • Alert
      - An alert is sent when an Office macro event occurs. The macro is allowed to run.
    • Block
      - The Office macro is blocked and an alert is sent.
powershell_settings
  • console_mode
    - The Powershell console is blocked to prevent Powershell command usage, including one-liners. To use this feature, the Powershell control_mode must be set to block.
  • control_mode
    • Alert
      - An alert is sent when a Powershell script event occurs. The Powershell script is allowed to run.
    • Block
      - The Powershell script is blocked and an alert is sent.
About disabling script control
For agent version 1430 and later, you can disable script control for active script, Powershell, or macros. Disable script control allows the selected script type to run and does not send an alert to the console.
To disable script control for a specific script type, do not include the script type in the Create Policy API request.
Example
: Script control for macros is disabled
"script_control": { "powershell_settings: { "control_mode": "Block", "console_mode": "Block" }, "global_settings": { "control_mode": "Alert", "allowed_folders: [ "\\temp_scriptcontrol" ] }, "activescript_settings: { "control_mode": "Alert" } }