Cylance: Protect - Updating to Agent version 3.* for Windows

Description

Summary

BlackBerry Protect Desktop agent 3.* features Memory Protection v2 and Script Control v2, which provide the following enhanced security capabilities:

  • Memory Protection enhancements: Memory Protection v2 applies new capabilities (memory definition v2) to both new and existing violation types. These new capabilities result in the generation of more events than in previous releases.
  • Script control enhancements: You can now select whether to alert on or block Python (version 2.7 and 3.0 to 3.8) and .NET DLR scripts (for example, IronPython). You can also disable Script Control for these script types.

Impact

BlackBerry tested and validated the new features related to Memory Protection v2 and Script Control v2 as well as the other new enhancements introduced in BlackBerry Protect Desktop Agent version 3.*.

However, BlackBerry requires Administrators to test and validate the new release of BlackBerry Protect and set up the policy accordingly before pushing the update to production.

Additionally, Administrators are required to review the changes related to macros because the changes might require them to migrate existing exclusions from Script Control to Memory Protection.

Recommendation

BlackBerry recommends that you validate BlackBerry Protect Agent for Windows version 3.* in a test environment before you deploy it in a production environment. 

Testing Steps and Deployment

Ensure all new and existing Memory Protection violation types are enabled in Alert mode

  1. To avoid blocking or terminating apps based on false positives or process failures, ensure to the Memory Protection violation types are enabled in Alert mode EXCEPT for the Violation Types indicated to be set to Ignore below. 
    • Exploitation
      • Stack Pivot (Alert)
      • Stack Protect (Alert)
      • Overwrite Code (Alert)
      • RAM Scraping (Alert)
      • Malicious Payload (Alert)
      • System Call Monitoring (Alert)
      • Direct System Calls (Ignore)
      • System DLL Overwrite (Ignore)
      • Dangerous COM Object (Alert)
      • Injection via APC (Ignore)
      • Dangerous VBA Macro (Alert)
    • Process Injection
      • Remote Allocation of Memory (Alert)
      • Remote Mapping of Memory (Alert)
      • Remote Write to Memory (Alert)
      • Remote Write PE to Memory (Alert)
      • Remote Overwrite Code (Alert)
      • Remote Unmap of Memory (Alert)
      • Remote Thread Creation (Alert)
      • Remote APC Scheduled (Alert)
      • DYLD Injection (macOS and Linux only) (Alert)
      • Doppelganger (Alert)
      • Dangerous Environmental Variable (Ignore)
    • Escalation
      • LSASS Read (Alert)
      • Zero Allocate (Alert)
      • Memory Permission Changes in Other Processes (Ignore)
      • Memory Permission Changes in Child Processes (Ignore)
      • Stolen System Token (Alert)
      • Low Integrity Process Start (Alert)
  2. Once you determine that processes are not being alerted/blocked, you can change the Violation Types set to Alert to Terminate.
    1. Continue to Ignore Violation Types previously set to Ignore.
  3. If a safe app or valid script is alerted as an Exploit Attempt, you will have to add the appropriate Memory Action exclusion.
    1. Cylance: Protect - Exploit Attempt Exclusions (sonicwall.com)

Review the existing Macro configuration in Script Control and migrate the same settings into Memory Protection

  • Reviewing the macro feature is particularly important while upgrading from BlackBerry Protect Agent for Windows version 2.1.1578 and earlier versions, to BlackBerry Protect Agent for Windows version 3.*.
  1. If the Macro option is not enabled under Script control, the UES administrator can leave the corresponding feature "Dangerous VBA macros" set to Ignore in Memory Protection. You might consider enabling this feature to enhance the security level in your organization.
  2. If the Macro option is enabled under Script control, set the Dangerous VBA macros option to Alert, or Terminate corresponding to the option set under “Script Control”.
  3. Review and migrate any existing exclusions for VBA macros that exist in Script Control.
  4. Test and validate the new settings in a test environment and against files containing macros that are commonly used in your organization
  5. After all of the tests and validation are complete, you should proceed with the deployment to multiple devices in your production environment.

If you would like assistance reviewing any current Macro Exclusions under Script Control and converting them to Memory Action exclusions, please start a support ticket. To do this, partners can visit https://msssupport.myportallogin.com and when asked to select a product, select Endpoint Security, and then Cylance Support

 Turn on Script Control Alerting for Python and .NET Scripts.

  • With agent version 3.*. for Windows, the following additional script types can be monitored.
    • Python
    • .NET DLR
  • Make sure your device policies are now set to Alert to begin baselining these potential new scripts
  • Once you are confident any needed scripts are accounted for and exclusions made, you can switch these options to Block

C:\Users\aphetkhamphou\Documents\0\0 Right Answers SGI to SW migration\Enable Python and DotNet script control

Related Articles

  • MPSS Frequently Asked Questions (FAQs)
    Read More
  • Getting Started with MPSS
    Read More
  • MSS FMM: NSM - Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community