Will Cylance replace or augment my current AV solution?
Microsoft recognizes CylancePROTECT as an AV/Anti-spyware solution and can be the one and only solution OR it can complement what you already have.
That is entirely up to you. But what we typically see our customers do is choose not to renew the current AV solution and remove the old AV from the systems.
If you run a suite of endpoint protection tools:
– Determine which functions the HIPS, Spyware, AV or other component is being used for and compare that against Cylance, if they are comparable then both the AV and HIPS components are replaced by Cylance
If I put Protect on my machine after I’ve been infected can you block and quarantine it?
Yes, if an unsafe file is detected and you quarantine it, we will quarantine the file and stop any related processes to ensure it remains safe. The next time the file attempts to execute we will not only prevent it from doing so, we’ll quarantine the related binaries.
How do you clean infections?
“CylancePROTECT in an auto-quarantine state, prevents the infection from occurring in the first place, negating the need for cleaning. As long as CylancePROTECT is installed, malware will not be able to execute regardless of its presence. In the event CylancePROTECT is installed after the machine has already been infected, Cylance will provide all the details necessary to identify the indicators of infection. Unlike other solutions, in order to prevent leaving malware residue or destabilizing the system, we will not “”auto-clean”” the system. Auto-cleaning is what many claim to do but in reality do quite poorly and often leave malware able to rebuild its attack capabilities.
I’m worried that your ability to stop bad files before they execute will take too long and will cause me or my users to complain about performance.
Cylance is able to evaluate ~6 million code features at the time an .exe, .dll, or .sys attempts to start and convict it in ~50ms, which is 1/6 of the time it takes for a person to blink their eyes. Bottom line is that the process is extremely accurate and undetectable by the user. Its also non-impactful to the network since analysis and conviction is handled on the local machine and not the ‘cloud’.
For Semi-Managed and Self-Managed Subscriptions
Under your classifications what does trusted-local mean? And how can I trust it?
Trusted – Local is a classification by the Cylance Alert Management Team that means the file is trusted and confirmed to be a safe file (trusted). Local means a customer can confidently apply a “safe” action on this file in their environment. Cylance does not apply white lists, but this “Trusted – Local” means you can confidently consider ‘safe’ this file for legitimate use within your environment if you desire or your policy allows it.
What type of forensic data does Cylance’s solution provide? How does it solution help us from a forensics point of view?
Forensics and Incident response is actually exactly what this software is designed to prevent you from needing to do. CylancePROTECT is the first technology that has made a generational leap in detection and prevention of malware execution, and is capable of applying this advancement before anything runs, so there is never cleanup of registry keys, files etc.
How do you handle malicious shell scripts?
Every technology has a cost to operationalize the technology within your current network. In fact, as a former Ops person myself, over 50% of my time was dedicated to deployment, tuning, and troubleshooting of devices. While our deployment, troubleshooting and tuning costs are low, DO expect for CylancePROTECT to find a lot of things your current solution missed. Cylance knows that networks can have findings (malware, adware, spyware etc) on up to 40% of their hosts. Cylance can help you get clean, triage the list, and not be overwhelmed when you “turn the light on”. Its Threat Zero service will prioritize the findings so you know where to start, and ensure you extract the maximum value from the technology.
Recommended Multi-Device Policy Rollout
When installing CylancePROTECT on production machines in your organization’s environment, it is recommended to implement device policy features in a phased approach to ensure that performance and operations are not impacted.
1) At initial install, it is recommended to have the device in a passive policy (with nothing enabled).
- File Actions: Auto Quarantine off & Auto Upload on
- Memory Actions: Memory Protection off
- Protection Settings: Background Threat Detection & Watch for New Files off
At this point, allow the agent about a day to do an initial scan, which will only utilize Execution Control to analyze running processes only. This includes all files that run at system startup, that are set to auto-run, and that are manually executed by the user.
2) Once the initial scan is complete, enable Background Threat Detection & Watch for New Files.
- The File Watcher may impact performance – so look to see if disk or message processing performance has changed
- It may help to add folder exclusions (See KB here) to improve performance and ensure certain folders and files do not get scanned or analyzed by the agent
3) Once Background Threat Detection is complete, review all the threats that the agent identified on the device. If this includes any legitimate applications necessary for business operations, make sure to either Waive or Global Safe List these files. At this point, Auto Quarantine can be enabled in the device policy.
4) Before enabling memory protection, make sure that there are no other memory protection applications running on the system. If so, it may be necessary to create process exclusions or disable the application entirely to avoid conflict when running simultaneously with CylancePROTECT Memory Protection. Enable Memory Protection in Alert mode initially and let it run in Alert mode until all normal applications, processes, and scheduled tasks have had a chance to run at least once. Monitor the device(s) for any exploit attempts logged by legitimate applications and create exclusions as necessary. Once you’re sure that no normal processes will trigger exploit attempts, change Memory Protection from Alert to Block mode.
At this point, your systems should be fully protected from any malicious applications and activity.