Set the Behavioral Execution Prevention Modes

Use Behavioral Execution Prevention to detect and prevent malicious execution of processes based on the process behavior.

In this topic:

Set the Behavioral execution prevention mode
Set the Variant payload prevention mode

Set the Behavioral execution prevention mode

In your sensor policy, in the Behavioral execution prevention screen, select one of the following modes:

Mode

Description

When to use this setting

Disabled

Do not use Behavioral execution prevention (default).

In this scenario, while the Behavioral execution prevention feature is set to Off on the endpoint, the Cybereason platform applies the proprietary detection rules in the platform’s Cross Machine Correlation (CMC) engine.

You want to collect data on process behavior, without preventing the processes.

Detect

Detect anomalies in process characteristics, but take no further action on the endpoint.

You want to detect anomalies in process characteristics, without preventing the processes.
You want to be aware of suspicious processes and use that data for investigation and hunting.

Prevent

Prevent malicious processes executing.

You want to identify and block malicious processes.

Set the Variant payload prevention mode

Variant payload prevention allows you to protect your organization against powerful attack tools, by performing real-time analysis of memory. You can use Variant payload prevention as a powerful protection layer on top of Behavioral execution protection, or independently, even when Behavioral execution protection is disabled.

In your sensor policy, in the Behavioral execution prevention screen, under the Variant payload prevention section, select one of the following modes:

Mode	Description
Disabled	Do not use Variant payload prevention (default).
Detect	Detect in-memory attacks, but take no further action on the endpoint. With this mode, you can use collected data about suspicious processes for investigation and hunting.
Prevent	Prevent in-memory attacks.

Note

Rapid recovery of files is now available if ransomware is detected by Variant Payload Prevention. To utilize this feature, you must have access to the Predictive Ransomware Protection feature. You can configure Rapid recovery on the Predictive Ransomware Protection screen. For more information, see Enable Rapid recovery.