Best Practices for Deploying Device Policies

When installing CylancePROTECT on production machines in your organization's environment, it is recommended to implement device policy features in a phased approach to ensure that performance and operations are not impacted.

1) At initial install, it is recommended to have the device in a passive policy (with nothing enabled).

  • File Actions: Auto Quarantine off & Auto Upload on
  • Memory Actions: Memory Protection off
  • Protection Settings: Background Threat Detection & Watch for New Files off

At this point, allow the agent about a day to do an initial scan, which will only utilize Execution Control to analyze running processes only. This includes all files that run at system startup, that are set to auto-run, and that are manually executed by the user.

2) Once the initial scan is complete, enable Background Threat Detection & Watch for New Files.

  • The File Watcher may impact performance - so look to see if disk or message processing performance has changed. NOTE: Watch For New Files is not recommended to be enabled on file servers.
  • It may help to add folder exclusions (See KB here) to improve performance and ensure certain folders and files do not get scanned or analyzed by the agent

3) Once Background Threat Detection is complete, review all the threats that the agent identified on the device. If this includes any legitimate applications necessary for business operations, make sure to either Waive or Global Safe List these files. At this point, Auto Quarantine can be enabled in the device policy.

4) Before enabling memory protection, make sure that there are no other memory protection applications running on the system. If so, it may be necessary to create process exclusions (see KB here) or disable the application entirely to avoid conflict when running simultaneously with CylancePROTECT Memory Protection. Enable Memory Protection in Alert mode initially and let it run in Alert mode until all normal applications, processes, and scheduled tasks have had a chance to run at least once. Monitor the device(s) for any exploit attempts logged by legitimate applications and create exclusions as necessary. Once you're sure that no normal processes will trigger exploit attempts, change Memory Protection from Alert to Block mode.

5) For Script Control, test in Alert mode first. This allows you to review all findings by Script Control and add-in the appropriate folder exclusions. You should exclude common folders that you run automated scripts from. Once this is done, you can set Script Control to Block mode. (See KB here)

At this point, your systems should be fully protected from any malicious applications and activity.