Infocyte: ARR Named Policies

Here you will find Technical documents about Named Policies in the Infocyte Portal

Activating Policies

• To assign a policy to any Organization or Location, it must first be activated.
• Activate each Policy by clicking on the radio button next to the correlating policy.

Default Policies

• Policies set to default will automatically be inherited by all Organizations and Locations created post assignment.
• Custom Named Policies may be set as Default Policies.
• You may not have more than one default policy of each type.
• Polices can be over-ridden in Organizations and Locations with Named Policies.
• If no policies are designated as default, Polices will have to be manually applied to each Organization/ Location.
• To set/ disable a Default Policy, click the 3 buttons next the policy you are modifying and select your option from the drop down menu

• You may not delete a Policy if it is in effect for any Location.

Creating Custom Policies

• Custom policies are based on Windows Defender, Datto AV, or Ransomware Detection rules.
• On the Policies page, click Create Policy.

• The Create Policy modal will open.
• In the Type drop-down field, define the kind of policy you're creating by selecting Ransomware Detection.
• Enter a unique identifier for this policy in the Name field.
• Input a short summary of the policy's purpose in the Description field.

• Click Create to save your changes.

Creating A Custom Ransomware Policy

Ransomware Detection monitors for the existence of ransomware on endpoints, and if  detected, will alert, isolate the device, and attempt to stop the ransomware processes to keep the infection from spreading.

• Once you Create your New Policy, the next screen will open, this is where you will make your personal modifications.

• The recommended settings are shown above. We generally do not recommend Shut Down Host in the event of Ransomware as that can result in data /logs loss.
• Once you are satisfied with your settings, save the Policy and Activate it by clicking the Radio button next to it
• Please see here for important information about the Ransomware Detection with Rollback and Recovery Features

Creating a Custom Defender Policy

Windows Defender Policy provides an additional layer to help guard against malware, spyware, and malicious browser activity.

• Name your Custom Policy and it’s descriptor.

• Select your configurations for each subset
• Enter any scanning exclusions
• Your endpoint must be running Windows antivirus version 1.381.2164.0 or higher to be able to use the Use advanced Office/Adobe Reader protection in the Attack Surface Reduction of the Policy. If the endpoint is not running this version or above, you will need to disable the toggle.
• Save and activate your Policy

Windows Defender Policy Definitions

Interface

• Disable User Interface - Limits the endpoint user' ability to view Defender UI, notifications, or change any scanning behavior.
• Use a proxy server - Enables proxy configuration for partners who run updates via a proxy.

Protection

• Cloud-based protection - Leverage Microsoft Defender's cloud platform to evaluate file samples and block content determined to be a threat by the Defender community.
• Behavior-based protection - Monitor for threats that are detected through machine learning.
• Keep Defender service alive in all circumstances - Enable the Defender service's keepalive functions.
• Monitor file and program activity - Monitor new files and file-related activity.
• Network inspection and protocol recognition - Monitors outbound HTTP(s) traffic and block connections to sites such as Command & Control (C&C) servers, phishing, and other malicious targets.
• Scan scripts used in Microsoft browsers - Scan for malicious scripts from web pages when using Microsoft browsers.
• Block risky DNS request - Attempts to identify and block connections to URLs known to be risky or host malware.
• Detection based on heuristics - Inspects code for suspicious elements.
• Microsoft Outlook protection - Scan Microsoft Outlook for suspicious emails and attachments.

Scanning exclusions

• Excludes specific processes, files, folders, and extensions from scanning (ie quarantine folders, security products, etc.).

Defender Attack Surface Reduction

• Use advanced ransomware protection - Use your Windows-embedded client and cloud heuristics to determine if a file resembles ransomware; can run in conjunction with The Ransomware Detection Policy.
• Block abuse of exploited / vulnerable signed drivers - Prevent applications from writing a vulnerable signed driver to disk.
• Block untrusted unsigned process running from USB - Block untrusted processes from executing that are on a USB drive.
• Block advanced malware attack techniques - Block potentially obfuscated scripts, possible persistence through WMI, and processes creations from PSExec and WMI.
• Use advanced Office / Adobe Reader protection - Monitor and block Microsoft Office and Adobe applications that may inject codes, create child processes, or make Win32 API calls (Your endpoint must be running Windows antivirus version 1.381.2164.0 or higher to use this function, otherwise you need to disable it).
• Protection Level - Enables you to toggle Windows Defender's response level to Audit or Block mode.

Attack Surface Reduction Exclusions

• Process exclusions - Exclude specific processes from analysis in the Attack surface reduction exclusions ruleset (ie security software, backup solutions, etc.).