Set the Behavioral Execution Prevention Modes
Use Behavioral Execution Prevention to detect and prevent malicious execution of processes based on the process behavior.
Set the Behavioral execution prevention mode
In your sensor policy, in the Behavioral execution prevention screen, select one of the following modes:
Mode |
Description |
When to use this setting |
---|---|---|
Disabled |
Do not use Behavioral execution prevention (default). In this scenario, while the Behavioral execution prevention feature is set to Off on the endpoint, the Cybereason platform applies the proprietary detection rules in the platform’s Cross Machine Correlation (CMC) engine. |
You want to collect data on process behavior, without preventing the processes. |
Detect |
Detect anomalies in process characteristics, but take no further action on the endpoint. |
|
Prevent |
Prevent malicious processes executing. |
You want to identify and block malicious processes. |
Set the Variant payload prevention mode
Variant payload prevention allows you to protect your organization against powerful attack tools, by performing real-time analysis of memory. You can use Variant payload prevention as a powerful protection layer on top of Behavioral execution protection, or independently, even when Behavioral execution protection is disabled.
In your sensor policy, in the Behavioral execution prevention screen, under the Variant payload prevention section, select one of the following modes:
Mode |
Description |
---|---|
Disabled |
Do not use Variant payload prevention (default). |
Detect |
Detect in-memory attacks, but take no further action on the endpoint. With this mode, you can use collected data about suspicious processes for investigation and hunting. |
Prevent |
Prevent in-memory attacks. |
Note
Rapid recovery of files is now available if ransomware is detected by Variant Payload Prevention. To utilize this feature, you must have access to the Predictive Ransomware Protection feature. You can configure Rapid recovery on the Predictive Ransomware Protection screen. For more information, see Enable Rapid recovery.