• Capture Client
• Overview
  • Description
  • Navigation
  • Guide Conventions
• Scopes and Policies
  • Introducing Scope of Operations
  • Using Scope Selector
  • Policy Management
    • Inheritance
    • Policy Types
      • Client Policies
      • Threat Protection Policies
      • Trusted Certificate Policies
      • Web Content Filtering Policies
      • Managing Blacklist
      • Exclusions
        • Hashes
        • Paths
        • Signer Identity
        • File Types
        • Browsers
    • Replicating Policies
    • Group Ranking Policy
    • Creating Custom Policies for Device Groups
    • Device Control
• Protection
  • Tenant Token
  • Installation for the New Clients
  • Migrating Clients Across Regions
  • Protecting Devices
  • Reviewing Registered Devices
    • List View
    • Unmanaged List View
    • Map
  • Active Users
  • Performing System Scan
• Groups
  • Creating a Static User Group
  • Creating Static Device Groups
  • Creating Dynamic Device Groups
  • Creating Custom Rules for Dynamic Groups
• SonicWall Support
  • About This Document

Threat Protection Policies

Threat Protection policy is one of the security policies that Capture Client offers. To view the Threat Protection policies, navigate to Policies > Threat Protection. The Threat Protection page lists the POLICY MODE OPTIONS, PROTECTION & CONTAINMENT OPTIONS, ENGINE SETTING, and ADVANCED SETTINGS.

To define the threat protection policy

1. Navigate to Policies > Threat Protection.

2. If you want to configure a custom threat protection policy for a tenant, disable Inheritance.
3. In the POLICY MODE OPTIONS section:

   1. Set the Policy Mode or mitigation mode for threats and suspicious activities. The available mitigation modes are: Detect (Alert Only), Protect (Kill & Quarantine), or Capture ATP (Auto Mitigate).

      Detect—Detects a potential threat, suspicious activities and reports it to the management console. Execution of threats known to be malicious by the SentinelOne Cloud Intelligence Service or on the blacklist will be blocked.

      Protect—Detects a potential threat, reports it to the management console, and immediately performs the configured Mitigation Action to mitigate the threat. To understand protection and options available for Protect mode, see step b.

      Capture ATP—To let Capture ATP analyze suspicious activities and take necessary action based on the Capture ATP settings.

      Capture ATP (Auto-mitigation)	Protect	Detect (Alert Only)
      Set the action to take if Capture ATP returns a Malicious Verdict: You have an option to enable the setting that ensures Capture Client to kill the process and block access to the file until a verdict is delivered. Mark as Threat —Automatically quarantines the file, marks it as a threat, and performs the corresponding mitigation action. Detect (Alert only)	When Protect is selected, the Mitigation Action is automatically set to Kill & Quarantine. This stops processes, encrypts the executable, and moves it to a confined path. If a threat is known, the Agent automatically kills the threat before it can execute. The only mitigation action here is Quarantine.	Detects a potential threat and reports it to the management console. Execution of threats known to be malicious by the SentinelOne Cloud Intelligence Service or on the blacklist will be blocked.
      Set the action to take if Capture ATP returns a Not Malicious Verdict: Detect (Alert only) Mark as Benign
      Set the action to take if Capture ATP returns a Not Undetermined Verdict: Detect (Alert only) Mark as Threat Contain

4. In the PROTECTION & CONTAINMENT OPTIONS section:

   1. Set the protection level. The available protection options are: Kill & quarantine, Remediate, or Rollback.

      If you selected Detect for the Mitigation Mode, the Mitigation Action field is hidden since there are no actions for that option.

   2. Select Disconnect from Network If you want to automatically put a device in network quarantine when an active threat is detected. All of the agent's network connections will be blocked except to the management console. Devices will not be disconnected if a threat is detected pre-execution by the Reputation or Deep File Inspection engines, because the threat is not active.

5. In the ENGINE SETTINGS section:

   Engine Type	Definition
   Reputation	This engine uses the SentinelOne Cloud to make sure that no known malicious files are written to the disk or executed. This option cannot be disabled.
   Documents, Scripts	This is a behavioral AI engine on Windows devices that focuses on all types of documents and scripts.
   Lateral Movement	This is a behavioral AI engine on Windows devices that detects attacks that are initiated by remote devices.
   Anti-Exploitation/Fileless	This is a behavioral AI engine focused on exploits and all fileless attack attempts, such as web-related and command line exploits.
   Potentially unwanted applications	This is a static AI engine on macOS devices that inspects applications that are not malicious, but are considered unsuitable for business networks.
   Intrusion Detection	This is a behavioral AI engine on Windows devices focused on insider threats such as malicious activity through PowerShell or CMD.
   DFI (Deep File Inspection)	This is a preventive static AI engine that scans for malicious files written to the disk.
   DFI (Deep File Inspection) - Suspicious	This engine is a more aggressive static AI engine on Windows devices that scans for suspicious files written to the disk. When in Protect mode, this engine is preventive.
   DBT (Dynamic Behavior Tracking) Executables	This is a behavioral AI engine that implements advanced machine learning tools. It detects malicious activities in real-time, when processes execute.

6. In the ADVANCED SETTINGS section, click Manage Settings and configure the following:

   Device Configuration Options	Definiton
   Scan new agents	Enables a disk scan on the endpoint after installation. It runs a full disk scan using its Static AI engine, identifying any pre-existing malicious files and mitigating them based on the defined policy.
   Anti Tamper	Does not allow end users or malware to manipulate, uninstall, or disable the client. Best practice is to keep this enabled.
   Agent UI	Enables the SentinelOne client interface on the endpoint. This should be disabled by default as it is redundant with the Capture Client interface.
   Snapshots	Sets Windows devices to keep Volume Shadow Copy Service (VSS) snapshots for rollback. If disabled, rollback is not available. Best practice is to keep this enabled.
   Logging	Saves logs for troubleshooting and support. Best practice is to keep this enabled.