Advanced protection

Features by platform

The advanced protection features available vary for each platform.

Feature	Windows (Intel & ARM)	Linux	macOS (Intel & ARM)
Behavior: Operating mode (includes decoy files).	X
Behavior: Detect malicious activity	X	X
Anti-exploit protection, including code injection and vulnerable driver detection	X (Not available on Windows ARM systems)
Windows Anti-Malware Scan Interface (AMSI) technology	X
Advanced security policies and blocked programs	X
Network attack protection	X
Privacy	X	X	X
Network usage	X	X	X
Advanced protection supported features by platform

Behavior

Advanced protection enables the monitoring of the processes run on Windows, macOS, and Linux computers and the sending of all generated telemetry to the Cytomic cloud. This information is incorporated into the investigation processes that classify files as goodware or malware, without ambiguity or classifying files as suspicious. Thanks to this technology, it is possible to detect unknown malware and advanced threats such as APTs on Windows and Linux computers.

Along with these advanced detection features, Cytomic provides a service called Zero-Trust Application Service for Windows computers, which classifies all files found on the customer IT network, leaving no unknown files.

Operating mode (Windows computers only)

Field	Description
Audit	Unknown programs and threats detected are allowed to run. Reports known malware.
Hardening	Allows execution of unknown programs already installed on user computers. Blocks unknown programs that originate from an untrusted source (such as the Internet, external storage drives, or other computers on the network) until a classification is returned. Disinfects or deletes programs classified as malware.
Lock	Prevents execution of all unknown programs pending classification. Deletes or disinfects programs already classified as malware.
Advanced protection operating modes for Windows computers

Create Decoy Files to help detect ransomware: Creates decoy files as bait on computers. These files are permanently monitored by Advanced EDR. If the files are modified, they identify the process that modified them as ransomware. The file ends the process that modified it and reports it as malware.
Report blocking to computer users: Shows a message in a pop-up alert on the user computer when:
- Advanced protection blocks a file.
- A blocked program is reclassified as goodware, and the user can use it.
Add the following custom message to alerts (optional): Specify a custom message to include in the alert.
To enable users to decide whether to run blocked items, enable Give computer users the option to run unknown blocked programs (recommended for advanced users and administrators only).

Detect malicious activity (Linux computers only)

Advanced EDR sends the telemetry received from the monitored Linux workstations and servers to the Cytomic cloud. With this information, Advanced EDR generates contextual rules to stop advanced threats.

Field	Description
Audit	Reports threats detected through contextual rules, but does not block them. Threats detected using other technologies are blocked or disinfected.
Block	Reports and blocks threats detected through contextual rules. Unless you are sure that the detected malicious activity is a legitimate action, it is recommended that you change the setting to Block mode.
Do not detect	Malware found through contextual rules is not detected or reported.
Linux protection operating modes

Windows Anti-Malware Scan Interface (AMSI) technology

Windows Anti-Malware Scan Interface (AMSI) is a versatile interface that allows your applications and services to integrate with any anti-malware product that is present on a computer. AMSI provides enhanced malware protection for your users and their data, applications, and workloads.

For more information, seehttps://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal.

This feature is only available for computers with a Windows operating system installed.

To enable or disable AMSI technology, enable the Enable advanced scanning with AMSI.

Exclusions

You can add exclusions for programs that might cause performance issues when you enable advanced scanning with AMSI. In the text box, type the names of the programs and press Enter. For more information about how the console behaves when you edit exclusions for a settings profile managed by a partner, see Exclusions set by a partner.

Advanced security policies

Advanced security policies enable you to detect and block suspicious scripts and unknown programs that use advanced infection techniques on Windows computers. This type of malware is a growing threat to the security of systems.

To enable advanced security policies, click the Enable advanced policies toggle and configure each of the policies listed in Advanced security policies in Advanced EDR with one of these options:

Do not detect: Does not detect the policy or generate any feedback for users or administrators.
Audit: Detects the policy and generates feedback for the administrator in lists and dashboard widgets. See Malware and network visibility.
Block: Advanced EDR prevents the program from running.

Advanced security policies include:

Fields	Description
PowerShell with obfuscated parameters	Detects the number of times the PowerShell interpreter received suspicious parameters that could result in the execution of dangerous operations on the protected computer. This option requires that you enable the anti-exploit protection.
PowerShell run by the user	Detects the number of attempts to run a monitored PowerShell script by an interactive account capable of executing dangerous operations on the protected computer. This option requires that you enable the anti-exploit protection.
Unknown scripts	Detects and/or blocks attempts to run a script that the Cytomic security intelligence team has not classified as safe. This policy helps: Provide visibility into scripts run on the network. Secure servers where program execution is restricted. Prevent the spread of malware on the network if infection is suspected. If you think the security software is generating false positives, consider the possibility of excluding the file from scans. See Files and paths excluded from scans.
Locally compiled programs	Detects the number of attempts to run a program that is unknown to the Cytomic security intelligence team because it was compiled on the user computer.
Documents with macros	Detects the number of attempts to open a Microsoft Office document with macros.
Registry modification to run when Windows starts	Detects the number of times a program tried to add a Windows registry key to gain persistence on the computer and to load with the operating system on every system start.
Advanced security policies in Advanced EDR

Block programs

To increase the security of Windows computers on the network, you can prevent the use of programs you consider dangerous or suspicious.

These programs include:

Programs which, due to the way they run, use too much bandwidth or establish too many connections, negatively impacting company connectivity if run simultaneously by multiple users.
Programs that enable users to access contents that might contain security threats.
Programs that enable users to access contents not related to company activity and which might affect user performance.

To create a new settings profile or edit an existing profile, enter this information:

Fields	Description
Names of the programs to block	Names of the files that you want Advanced EDR to prevent from running. You can paste a list of file names separated by line breaks.
MD5 or SHA-256 codes of the programs to block	MD5 or SHA-256 codes of the files that you want Advanced EDR to prevent from running. You can paste a list of MD5 or SHA-256 codes separated by line breaks.
Configuring a Block Programs security policy

To Notify computer users about blocked applications, enable the toggle. A pop-up message shows on user computers when they try to run a blocked application. In the text box, enter a custom message to show users when Advanced EDR blocks a program.

Anti-exploit

Anti-exploit technology is not available on Windows ARM systems.

Anti-exploit protection automatically blocks attempts to exploit vulnerabilities found in the active processes on user computers, in most cases without requiring user intervention.

How anti-exploit protection works

Network computers might run trusted processes that include bugs. Although legitimate, these processes are vulnerable because they sometimes do not correctly interpret data received from users or other processes.

If a vulnerable process receives malicious inputs from a hacker, a malfunction can occur that enables the attacker to inject malicious code into areas of memory that the vulnerable process manages. The injected code can cause the compromised process to execute actions it was not programmed for and compromise computer security.

The anti-exploit protection included in Advanced EDR detects attempts to inject malicious code into vulnerable processes run by users, and neutralizes them based on the exploit detected:

Exploit blocking

The security software detects the injection attempt while it is still in progress. Because the injection process does not complete, the targeted process is not compromised and there is no risk to the computer. The exploit is neutralized without the need to end the affected process or restart the computer, and there are no data leaks from the affected process.

The user of the targeted computer receives a block notification, based on the settings configured by the administrator.

Exploit detection

The security software detects the injection after it takes place. Because the vulnerable process already contains malicious code, the security software must end the process before it performs actions that might put computer security at risk.

Regardless of the time between exploit detection and when the compromised process ends, Advanced EDR reports that the computer was at risk. The level of risk depends on the time passed before the process stopped and on the type of malware. Advanced EDR can either end a compromised process automatically to minimize the negative effects of an attack, or prompt the user to end the process and remove it from memory.

If you configure compromised processes to be automatically ended, users could lose information handled by the affected processes. However, by delegating the decision to the user, you enable them to save work or critical information before the compromised process stops.

If it is not possible to end a compromised process, the user is prompted to restart the computer.

Vulnerable driver blocking

Drivers supplied by legitimate vendors might contain vulnerabilities that malware could exploit to infect a computer or disable the security software.

These drivers are not malicious in themselves and can be installed on computers without posing a security threat. Therefore, initially they are not detected as malware.

The anti-exploit protection included in Advanced EDR blocks the use of vulnerable drivers, except when the driver loads at operating system startup.

Anti-exploit technology compatibility

Cytomic follows all standards recommended by OS manufacturers to make sure its security products are compatible with other antivirus and EDR solutions. Anti-exploit technology is typically implemented with hooks. If more than one solution uses anti-exploit technology, they could be incompatible. We recommend that you only enable one anti-exploit technology.

In Advanced EDR, the technologies that use hooks are:

Anti-exploit
Advanced code injection
Advanced IOAs. See Compatibility of advanced IOAs with third-party security solutions.

Anti-exploit protection settings

Code injection

To enable anti-exploit protection, enable the toggle.
Code injection exclusions: You can exclude processes that are incompatible with anti-exploit protection. To exclude a process, type its name in the Excluded processes text box and press Enter.
Operating mode (Windows computers only)

Field	Description
Audit	Reports exploit detections in the management console, but does not take action against them or display information to the user.
Block	Blocks exploit attacks. In some cases, it might be necessary to end the compromised process. Report blocking to the computer user: The user receives a notification, and the compromised process is automatically ended if required. Ask the user for permission to end a compromised process: Prompts users to end a compromised process should it be necessary. This enables users to, for example, save their work or critical information before the compromised process is stopped. Every time a compromised computer needs to restart, the user must provide confirmation, regardless of whether the Ask the user for permission to end a compromised process toggle is enabled.
Advanced EDR advanced anti-exploit protection operating modes

Field

Description

Audit

Reports exploit detections in the management console, but does not take action against them or display information to the user.

Block

Blocks exploit attacks. In some cases, it might be necessary to end the compromised process.

Report blocking to the computer user: The user receives a notification, and the compromised process is automatically ended if required.
Ask the user for permission to end a compromised process: Prompts users to end a compromised process should it be necessary. This enables users to, for example, save their work or critical information before the compromised process is stopped. Every time a compromised computer needs to restart, the user must provide confirmation, regardless of whether the Ask the user for permission to end a compromised process toggle is enabled.

Advanced EDR advanced anti-exploit protection operating modes

Many exploits continue to run malicious code until the relevant process ends. An exploit does not appear as resolved in the Exploit Activity panel on the Security dashboard in the web console until the compromised program terminates.

Vulnerable driver.

To enable blocking of vulnerable drivers, enable the Detect drivers with vulnerabilities toggle.
Operating mode (Windows computers only)

Field	Description
Audit	Reports detections in the Cytomic management console, but does not take action against them.
Block	Reports detections in the Cytomic management console, blocks drivers from loading, and shows an alert on the affected computer.
Vulnerable driver blocking operating modes in Advanced EDR

Network attack protection

Many security incidents begin with attacks that exploit vulnerabilities in Internet-exposed services. If malicious actors achieve their goal and infect computers in your organization, you must stop the attack.

Network attack protection scans network traffic in real time to detect and stop threats. It prevents network attacks that attempt to exploit vulnerabilities in services that are open to the Internet and in the internal network.

For more information about network attack protection detections, see https://www.pandasecurity.com/en/support/card?id=700145.

Field	Description
Block	Blocks traffic in a network attack. This is the default option.
Audit	Reports network attacks in the management console, but does not take action against them or display information to the user.
Network attack protection operating modes in Advanced EDR

Privacy

Advanced EDR collects the name and full path of the files it sends to the Cytomic cloud for analysis, as well as the name of the logged-in user. This information is used in the reports and forensic analysis tools shown in the management console. If you do not want this information sent, clear the relevant checkbox in the Privacy section.

Network usage

Advanced EDR compresses and sends every unknown executable file found on user computers to the Cytomic cloud for analysis. The maximum size of the compressed file that the agent sends for analysis is 50 MB.

This behavior is configured so that it has no impact on the customer’s network bandwidth.

The security software only sends a maximum 50 MB of files to the cloud each hour for each agent.
The agent sends each unknown file once only for all customers who use Advanced EDR.
The security software implements bandwidth management mechanisms to prevent intensive usage of network resources

To configure the maximum number of MB that an agent can send each hour, type a value in the corresponding box. Click OK. To establish unlimited transfers, set the value to 0.