CylancePROTECT® Administrator Guide Product: CylancePROTECT® Global Headquarters Document: CylancePROTECT® Administrator Guide. 400 Irvine Spectrum Drive, Irvine, CA 92618 This guide is a succinct resource for analysts, administrators, and customers who are reviewing or Professional Services Hotline evaluating the product. +1-877-97DEFEND • +1-877-973-3336 Document Release Date: 2.1 rev37, November 2020 Corporate Contact About BlackBerry Cylance®: BlackBerry Cylance develops artificial intelligence to deliver prevention- +1-914-CYLANCE • +1-914-295-2623 first, predictive security products and smart, simple, Email secure solutions that change how organizations approach endpoint security. BlackBerry Cylance [email protected] provides full-spectrum predictive threat prevention and Website visibility across the enterprise to combat the most notorious and advanced cybersecurity attacks, fortifying https://www.cylance.com endpoints to promote security hygiene in the security To Open a Support Ticket operations center, throughout global networks, and even on employees’ home networks. With AI-based malware https://support.cylance.com — Click on Submit a Ticket prevention, threat hunting, automated detection and To View Knowledge Base and Announcements response, and expert security services, BlackBerry Cylance protects the endpoint without increasing staff Login to https://support.cylance.com workload or costs. To Request a Callback from BlackBerry Cylance Support Copyright: © 2020 BlackBerry Cylance Inc. All Rights Reserved. +1-866-699-9689 . Table of Contents - 3 - Contents Table of Contents 3 Contents 4 Overview 11 How It Works 12 About This Guide 13 Communications 13 CylancePROTECT Domain Descriptions 14 Additional Domains Required for Console Navigation Descriptions 14 What's New in CylancePROTECT 15 Login 15 Password requirements 15 Console Configuration 16 Device Policy 16 Policy Best Practices 16 File Actions 19 Memory Actions 21 Protection Settings 26 Application Control 29 Agent Settings 31 Script Control 32 Device Control 37 Apply a Policy to a Device 42 Clone a Device Policy 42 Zones 43 About Zone Priority 44 Zone Management Best Practices 44 Zone Properties 47 Zone Rules 47 Zones Device List 50 Agent Installation 52 Download the Install File 52 Install the Agent from the Application Page 52 CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 4 Install the Agent from the Deployments Page 53 Windows Agent 54 System Requirements 54 Install the Agent — Windows 60 Windows Installation Parameters 60 Windows Installation Verification 64 Uninstall the Windows Agent 64 CylancePROTECT + CylanceOPTICS Windows Agent 67 Install CylancePROTECT + CylanceOPTICS 68 CylancePROTECT + CylanceOPTICS Installation Parameters 69 Uninstall CylancePROTECT + CylanceOPTICS 71 macOS Agent 73 System Requirements 73 Install the Agent — macOS 76 Installation — System Management 76 Install the Agent from the Command Line 76 Optional Installation Parameters 77 macOS Installation Parameters 78 macOS High Sierra – Secure Kernel Extension Loading 79 Use Mobile Device Management 80 macOS Installation Verification 81 Uninstall the macOS Agent 82 Linux Agent 82 System Requirements 82 Linux Installation 86 Install the RHEL/CentOS Agent Automatically 88 Install the RHEL/CentOS Agent Manually 89 Install the Ubuntu Agent Manually 91 Install the Amazon Agent Automatically 92 Install the Amazon Agent Manually 92 Amazon Linux Commands 93 Install the SUSE Agent Automatically 93 Install the SUSE Agent Manually 94 Start the UI (Ubuntu and SUSE 12) 94 CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 5 Installation — System Management 95 Set an Unauthenticated Proxy Server - Linux 95 Set an Authenticated Proxy Server - Linux 96 Kernel Driver 98 Logging - Linux 99 Re-register a Linux Agent 101 Stop or Start the Linux Service 101 Upgrade the Linux Agent 101 Uninstall the Linux Agent 102 Agent Update 103 Zone-Based Updating 103 Rollback Agent Version 103 Password-Protected Uninstall 105 To Create an Uninstall Password 105 Agent Service 106 Agent User Interface 107 Agent UI Notifications 107 Threats Tab 111 Events Tab 111 Scripts Tab 111 Agent Menu Options 112 Enable Agent User Interface Advanced Options 113 Virtual Machines 114 Enable Submitting Helpdesk Tickets 114 Changing the Help / FAQ Link in the Agent UI 116 Device Management 118 Device Threats & Activities 119 Threats 119 Exploit Attempts 119 Application Control 119 Agent Logs 120 Script Control 120 External Devices 121 Duplicate Devices 122 CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 6 Example Using Microsoft Excel 122 Threat Management 123 Dashboard 123 Threat Statistics 124 Protection Percentages 124 Threats by Priority 124 Threat Events 127 Threat Classifications 127 Top Ten Lists 128 Priority of Threat Actions 129 Threat Protection 129 Unsafe and Abnormal Files 129 Cylance Score 130 File Classification 130 View Threat Information 133 Save a Filter 136 Threat Details 137 Addressing Threats 141 Protection — Script Control 145 Protection — External Devices 147 Global List 148 Safe List Scripts by Hash 150 Safe List by Certificate 150 Reports 153 CylancePROTECT Overview Report 153 Threat Event Summary Report 154 Device Summary Report 156 Threat Events Detail Report 157 Devices Detail Report 157 Export Reports 158 Administration 159 Application 159 Invitation URL 159 Syslog/SIEM Settings 159 CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 7 Change Syslog Settings 159 Event Types 160 Application Control 160 Audit Log 161 Devices 162 Memory Protection 163 Threats 164 Threat Classifications 165 Security Information and Event Management (SIEM) 165 Protocol 165 TLS / SSL 165 IP / Domain 165 Port 166 Severity 166 Facility 166 Testing the Connection 166 Custom Authentication 166 Threat Data Report 167 User Management 168 Add Users 168 Change User Roles 168 Remove Users 169 Role Management 169 My Account 175 Audit Logs 176 How-To Guide 177 Help and FAQ 177 Language Preferences 177 In Google Chrome 177 In Mozilla Firefox 178 Network Related 178 Firewall 178 Proxy 178 Integrations 179 CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 8 CylanceOPTICS API 179 Troubleshooting 180 Missing Menu Options, Pages, and Functionality 180 Installation Parameters 180 Performance Concerns 181 Update, Status, and Connectivity Issues 181 Enable Debug Logging 182 Script Control Incompatibilities 182 Enable Support Login 183 Virtual Machines 184 Time Zone Variances 185 Cylance Host URLs 187 North America 187 Asia-Pacific North East 187 Asia-Pacific South East (including Australia) 188 Europe Central 189 South America East 189 SIEM / Syslog URLs 190 Asia-Pacific North East (login-apne1.cylance.com) 190 Asia-Pacific South East (login-au.cylance.com): 190 Europe Central (login- euc1.cylance.com): 190 North America (login.cylance.com): 191 South America (login-sae1.cylance.com): 191 Undeliverable Messages 191 Agent Status Information File 192 Appendix A: VDI Best Practices 197 Malware Prevention 198 Gold Image Preparation 199 Layering in Memory Protection & Script Control 205 Non-Persistent VDI Install Parameter 205 Details for VDI=<X> 206 Details for AD=1 207 Verification 207 VDI Agent Update Process 208 CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 9 Appendix B: Cylance Exclusions and When to Use Them 209 Policy Safe List (File Actions) 209 Example Scenario: 209 Exclude Executable Files (Memory Protection) 209 Example Scenario: 210 Exclude Specific Folders (Protection Settings) 210 Example Scenario: 210 Folder Exclusions (Script Control) 211 Example Scenario: 211 CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 10 OVERVIEW CylancePROTECT detects and blocks malware before it can affect a device. Cylance uses a mathematical approach to malware identification, using machine learning techniques instead of reactive signatures, trust-based systems, or sandboxes. This approach renders new malware, viruses, bots, and future variants useless. CylancePROTECT analyzes potential file executions for malware in the Operating System and memory layers to prevent the delivery of malicious payloads. This guide explains using the Cylance Console, installing the CylancePROTECT Agent, and how to configure both. Best practices are included, where applicable. CylancePROTECT Administrator Guide, 2.1 rev37, November 2020 | 11 How It Works CylancePROTECT consists of a small Agent, installed on each host that communicates with the cloud-based Console. The Agent detects and prevents malware on the host by using tested mathematical models, does not require continuous cloud connectivity or continual signature updates, and works in both open and isolated networks. As the threat landscape evolves, so does CylancePROTECT. By constantly training on enormous, real-world data sets, CylancePROTECT stays one step ahead of the attackers. Figure 1: CylancePROTECT Threat Analysis Flowchart n Threat: When a threat is downloaded to the device or there is an exploit attempt (something running in memory that attempts to execute an attack). n Threat Detection: How the Agent identifies threats. l Running Module Scan: Scans processes running on the device. This is collected after the initial installation of CylancePROTECT and when the Cylance Service starts (example: system boot). l Execution Control: Analyzes processes upon execution only. This includes all files that run at startup, that are set to auto-run, and that are manually executed by the user. CylancePROTECT Administrator Guide,