Risk assessment settings

Required permissions

The risk assessment feature is visible to all users of the web console. However, you must have the Full Control role to configure it. For more information, see Managing roles and permissions. The risk assessment settings apply equally to all computers on the IT network.

Accessing the settings

Select the Settings menu at the top of the console. Select Risks from the side menu. The Risks page opens. This page is divided into two main areas: a list of risks and a series of drop-down menus to assign risk levels.

Risk list

Most risks have to do with the various types of settings implemented in Advanced EDR. Other risks are related to the protection status information sent by computers to the Cytomic servers.

The risks you can assess vary based on the operating system installed on computers.

Risk Comment

No protection

The computer has protection installation errors or does not have a license. See Protection status.

Out-of-date protection

The protection engine version installed on the computer is not up to date. The computer is vulnerable to threats. See Details section (3).

Out-of-date knowledge (more than 30 days)

The signature file version installed on the computer is not up to date. The computer is vulnerable to threats. See Outdated protection.

No connectivity to knowledge servers

Communications between the computer and the Cytomic servers are not working correctly. The computer is not correctly protected. See Product features and requirements to verify the computer meets the connection requirements.

No uninstallation protection

The computer is not password protected to prevent unauthorized protection uninstallation or tampering. See Password-protection of the agent.

Anti-tamper protection disabled

The protection can be modified and tampered with. See Configuring the anti-tamper protection and password.

Advanced protection for Windows disabled or in Audit mode

Advanced protection is not active or reports threats but does not block or disinfect malware. See Advanced protection.

Advanced protection for Windows in Hardening mode

The advanced protection settings allow execution of unknown programs already installed on user computers but block programs that originate from an external source. See Advanced protection.

Advanced protection for Linux disabled or in Do not detect or Audit mode

Advanced protection is not active or reports threats but does not block them. See Detect malicious activity (Linux only).

Anti-exploit protection disabled or in Audit mode

Anti-exploit protection is not active or reports detections but does not take action against them. See Anti-exploit protection settings.

Folder, file, and extension exclusions

There are files, folders, or extensions that are not being scanned for malware. See Files and paths excluded from scans and Authorized software and exclusions.

Recent indicators of attack

The computer has reported the detection of indicators of attack (IOAs) in the last 30 days. See Managing indicators of attack.

Critical patches pending installation

The computer has Cytomic Patch installed and has reported the existence of critical patches that are pending installation. This can be notified immediately or a number of days after the patches are published. By default, the number of days is 30, although you can edit this parameter when you enable this risk for evaluation. See Configuring the discovery of missing patches.

Audit mode enabled

Enabling Audit mode for a settings profile does not change the overall status of the protections applied to the computers that receive the settings. Nor does it change the configuration of the protections in the web console. Threats continue to be detected and reported, but they are not blocked or deleted. See Audit mode

Network attack protection disabled or in "Audit" mode

Because of the way this protection is configured, real-time scanning of network traffic is not detecting or stopping lateral movements by fileless threats and advanced attacks using exploits. See Network attack protection

Risk list

How risk assessment works

By default, Cytomic assigns a specific risk level to each risk detected on computers. You can see this default risk level the first time you access the Settings, Risks page. You can change the default risk level and select another risk level based on your needs.

Configuring risk assessment

To configure risk assessment:

  • In the list of risks (1), click the toggles to enable the risks you want to detect.

  • From the Risk level drop-down menu (2), select a risk level for each risk: Critical, High, Medium.

    If the risk level you select does not match the level recommended by Cytomic, the icon (3) appears. Point the mouse to the icon. A message appears (4) that shows the risk level recommended by Cytomic.

  • Click Save.

    Risk update is asynchronous. There may be a slight delay between when you configure risks and when data starts to appear in lists and widgets.

Setting a risk level for recent IOAs

The Recent indicators of attack risk enables when an IOA is detected on a computer.

To set the risk level:

  • From the Risk level drop-down menu (2), select a risk level (Critical, High, or Medium).

  • From the Risk level drop-down menu (2), select the Risk of indicators of attack option. If you select this option, the risk level will be equal to the highest risk level for any IOA detected on the computer.

The solution assesses only IOAs that have not been previously archived or were detected less than 30 days ago.

Example:

25 IOAs are detected: some are low risk, others are medium risk, and one is high risk. The risk level for Recent indicators of attack will be High.

If the high-risk IOA is archived, or after the 30-day period, because there are unarchived IOAs, the risk level is calculated again. Based on the previous logic, the risk level will be Medium.

Example:

A computer reports the detection of 25 IOAs, all of which are low-risk IOAs except for two medium-risk IOAs. In this case, the risk level will be Medium.

If one of the medium-risk IOAs is archived, the risk level stays the same, as there is another medium-risk IOA. After the remaining medium-risk IOAs is archived, the risk level changes to Low, because this is the risk level of the IOAs that are not archived.

Monitoring risk assessment

Risk assessment results are shown in the relevant widgets and lists. For more information, see Risk assessment module lists and Risk assessment module panels/widgets.

Modification and recalculation of recommended values

Cytomic can modify the risk levels recommended for the various risks, but that change will not have an immediate effect on the risks you enable, unless you upgrade to a new version of Advanced EDR, in which case:

  • Risks whose risk level you did not modify are automatically updated to the new default value recommended by Cytomic.

  • Advanced EDR recalculates risk for all computers. The default settings show the new recommended risk levels.

Calculation of the overall risk level assigned to each computer

Calculation of the risk level assigned to each computer occurs:

  • For the entire network, every time there is an upgrade to a new version of Advanced EDR.

  • For a specific computer, when certain circumstances occur, such as: when you assign new settings to the computer, the computer or device is moved from one group to another, a new computer or device is registered, or, in some cases, when a change is made to the license assigned to the computer.

    The overall risk level for a computer is equal to the highest risk level for any risk detected on it.

    Example:

    • A computer has 5 risks detected (active), 1 of which has a Hight risk level and the other 4 have a Medium risk level. The computer overall risk level will be High.

    • A computer has 5 risks selected for detection. 4 are active (1 has a Hight risk level and 3 have a Medium risk level) and 1 is inactive (with a Critical risk level). The computer overall risk level will be High.