Cylance: Protect - Memory Protection Settings
Description
Overview
Recommended Memory Protection Settings for CylancePROTECT.
If you are going through an Agent update from version 2.1.1578 (or older), please reference the following page for recommended steps.
For assistance with adding Memory Action exclusions for Exploit Attempts, please reference the following page for recommended steps.
Settings for Violation Types
With version 3.x, Cylance has introduced a more advanced memory analysis feature where we are now inspecting processes at the kernel level and introduced new violation detection options.
- With this enhanced feature brings more visibility, however, many of the new violation types bring an expectation of needing to re-baseline Memory Protection (Exploit Attempts) for applied policies.
Some of these new violation types are expected to be very ‘noisy’ as you should expect to see alerts for both valid and malicious behaviors/actions/injections.
Each new violation type should be carefully onboarded to prevent unexpected conflicts, outages, or consistent alerting that could potentially slow down the machine.
Through our investigations and support history, we have found some of the new violation types to be very noisy and conflict with many valid processes.
It is our recommendation to leave these violation types to ‘IGNORE’ and, if desired, only enabled in ‘ALERT’ mode one-by-one with the expectation of modifying your existing policies due to conflicts.
- Please note the ‘if desired’ as we do not feel that these violation types are essential to provide adequate protection/detection when evaluating a ‘usability vs security’ scenario.
The following link will provide you with a description of each violation type: Memory protection violation types (blackberry.com)
The following lists the available Violation Types and our Recommendations for which ones should be set to IGNORE.
- The rest of the Violation Types should be set to either an ALERT or a TERMINATE response, depending on where you are at in the Cylance implementation process.
- Our suggested policy names include “MemA” for Alert and “MemT” for Terminate.
- Exploitation
- Stack Pivot (Alert/Terminate)
- Stack Protect (Alert/Terminate)
- Overwrite Code (Alert/Terminate)
- RAM Scraping (Alert/Terminate)
- Malicious Payload (Alert/Terminate)
- System Call Monitoring (Alert/Terminate)
- Direct System Calls (Ignore)
- System DLL Overwrite (Ignore)
- Dangerous COM Object (Alert/Terminate)
- Injection via APC (Ignore)
- Dangerous VBA Macro (Alert/Terminate)
- Process Injection
- Remote Allocation of Memory (Alert/Terminate)
- Remote Mapping of Memory (Alert/Terminate)
- Remote Write to Memory (Alert/Terminate)
- Remote Write PE to Memory (Alert/Terminate)
- Remote Overwrite Code (Alert/Terminate)
- Remote Unmap of Memory (Alert/Terminate)
- Remote Thread Creation (Alert/Terminate)
- Remote APC Scheduled (Alert/Terminate)
- DYLD Injection (macOS and Linux only) (Alert/Terminate)
- Doppelganger (Alert/Terminate)
- Dangerous Environmental Variable (Ignore)
- Escalation
- LSASS Read (Alert/Terminate)
- Zero Allocate (Alert/Terminate)
- Memory Permission Changes in Other Processes (Ignore)
- Memory Permission Changes in Child Processes (Ignore)
- Stolen System Token (Alert/Terminate)
- Low Integrity Process Start (Alert/Terminate)
Screenshot Examples:
- Exploitation
- Process Injection
- Escalation
