Reclassification policy

The reclassification policy defines the way Advanced EDR must behave when an item that was unblocked by the administrator is reclassified and it is necessary to make a new decision.

In cases where the administrator allows an unknown item to run, Advanced EDR classifies it as malware or goodware after a period of time. If it is goodware, there are no additional considerations to be made as Advanced EDR will allow the item to run. However, if it is malware, the reclassification policy is applied, which enables the administrator to define the behavior of Advanced EDR.

Advanced EDR behavior based on the reclassification policy selected and the classification result

Changing the reclassification policy

The reclassification policy applies to all devices on the network, regardless of the assigned security settings profile.

To change how Advanced EDR behaves when a file is reclassified:

  • Click Status in the menu at the top of the console. Click Security in the side panel.

  • Click the type of item in the Programs allowed by the administrator panel:

    • Malware

    • PUPs

    • Being classified

    • Exploits

  • Click the Change behavior link. A pop-up window opens with the reclassification policy to apply.

    • Remove it from the list of programs allowed by the administrator: If the unknown file is goodware, it continues to run normally. If it is malware, the exclusion is removed automatically and the file is blocked, unless the administrator manually generates a new exclusion for the file.

    • Keep it on the list of programs allowed by the administrator: A red shaded area in the Programs allowed by the administrator list indicates that this choice can lead to potentially dangerous situations. Whether the unknown file is classified as goodware or as malware, the exclusion is maintained and the file continues to run.

Cytomic advises against using this setting due to the risk of opening a security hole that could enable malware to run on network devices.

Reclassification traceability

If you select the Keep it on the list of programs allowed by the administrator policy, you must know whether Advanced EDR has reclassified an unknown item in order to know whether an allowed program was reclassified as malware.

Traceability using the history of allowed programs

To view the history of reclassifications and events for an unblocked file:

  • Click Status in the menu at the top of the console. Click Security in the side panel.

  • Click the Currently blocked programs being classified panel.

  • Click the View history of blocked items link. The History of blocked programs list opens.

  • Enter the name of the threat in the search tool. The Action field indicates the type of event that occurred. See History of blocked programs list for more information.

Traceability using the alerts

For more information about the alerts received, see Alerts.

Administrators can receive an email alert every time an unknown file gets blocked. They can also receive a notification every time a previously unblocked file is reclassified.

To enable email notifications when an unknown file is blocked:

  • Click Settings in the top menu. Click My alerts in the side panel.

  • Enable the following alert types:

    • A program that is being classified gets blocked.

    • A file allowed by the administrator is finally classified.