Set the Behavioral Document Protection AI Modes
For availability of this feature, see Behavioral Document Protection availability by sensor version.
Use Behavioral Document Protection to detect integrated code in documents and either identify or block documents that contain malicious content, such as malicious macros.
In this topic:
Set the Behavioral document protection AI mode
In your sensor policy, select one of the following options under Anti-Malware > Behavioral document protection.
Mode |
Description |
When to use this setting |
---|---|---|
Disabled |
Do not use Behavioral document protection to prevent malicious documents. |
You want to collect data on static files that include malicious code, such as macros. |
Detect |
Detect integrated code in documents and identify documents with malicious content, such as malicious macros. Trigger MalOps with information on the malicious content that was detected. Note If Anti-Malware > Signatures mode is set to Disabled, the Cybereason platform collects document data as part of the Non-executable file data collection feature and triggers MalOps, evidences, and suspicions. For more information, see When do you use Behavioral Document Protection. |
|
Prevent |
Detect integrated code in documents and prevent documents from running malicious content, such as malicious macros. Trigger Malops with information on the malicious content that was prevented. |
You want to identify and block static files that include malicious code, such as macros. |
Quarantine |
Detect integrated code in documents and quarantine documents with malicious content, such as malicious macros. Trigger Malops with information on the malicious content that was quarantined. The Cybereason platform moves quarantined documents to the Quarantine folder. For more information, see Set Anti-Malware Signatures mode. |
|
Because of optimization algorithms, when you enable Behavioral document protection, the Cybereason platform might not re-scan documents that Anti-Malware > Signatures classifies as benign until you restart the Cybereason sensor.
Set the Behavioral document protection AI sensitivity level
You can configure the level of sensitivity that the Behavioral document protection feature uses to handle suspicious code in documents. The sensitivity levels determine whether the Behavioral document protection feature is triggered and whether to detect, prevent, and generate MalOps for suspicious documents. This is different from the Behavioral document protection mode, which determines how to handle the suspicious document. For example, if the Behavioral document protection mode is set to Quarantine and the sensitivity level is set to Cautious:
The Cybereason platform determines that the document includes integrated code with a very high level of certainty.
Behavioral document protection is triggered, and the file is quarantined.
Note
Behavioral document protection generates evidences and suspicions as usual, regardless of the selected mode. For example, if you select Cautious mode and Behavioral document protection detects integrated code in a document, the Cybereason platform generates evidences and suspicions that can be used for visibility and analysis, without triggering MalOps on those events.
Select one of the following options:
Mode |
Description |
When to use this setting |
---|---|---|
Cautious |
Detect, prevent, and trigger MalOps for only those documents that Cybereason determines are malware with a very high level of certainty. This is the setting with the lowest sensitivity. |
You want to detect documents with integrated code, but want to avoid handling many false-positive results and multiple MalOps that report legitimate documents. |
Moderate |
Detect, prevent, and trigger MalOps for only those documents that Cybereason determines are malware with a high level of certainty. |
You want to detect integrated code in documents, and can tolerate handling some false-positive results and some MalOps that report legitimate documents. |
Aggressive |
Detect, prevent, and trigger MalOps for any documents that Cybereason determines are likely to include integrated code. This is the setting with the highest sensitivity. |
You want to detect documents with malicious code. You prefer to assess and analyze all false positives, as well as documents that are likely, but not certain, to be legitimate. |
View Behavioral document protection AI modes in the Sensors screen
You can view endpoints’ Behavioral document protection modes and/or sensitivity levels for single endpoints or for groups of endpoints in the Cybereason UI, from the System > Sensors screen.
The Behavioral doc mode column shows the Behavioral document protection AI mode, specifying whether the feature is enabled, disabled, and so on.
The Behavioral doc sensitivity column shows the Behavioral document protection AI sensitivity level, specifying whether the sensitivity level is aggressive, cautious, and so on.
To display the Behavioral document protection modes or sensitivity level, select Columns to the right of the sensors table, and select the Behavioral doc mode column and/or the Behavioral doc sensitivity column.
The Behavioral document protection modes are visible in the sensors table.
The information in the Behavioral doc mode and Behavioral doc sensitivity columns is also used as metadata if you export the table to a CSV file.
Note
Sensors on versions earlier than 22.1.105 use Rule-Based Behavioral Document Protection. Sensors on version 22.1.105 and later use Behavioral Document Protection AI.
If a sensor policy contains sensors on versions earlier than 22.1.105 and also sensors on versions 22.1.105 and later, your Cybereason environment uses both Rule-Based Behavioral Document Protection and Behavioral Document Protection AI. The type of Behavioral Document Protection that the Cybereason platform uses is based on the sensor version.
The Behavioral doc mode column and the Behavioral doc sensitivity column show the mode and sensitivity level of a specific endpoint. Depending on the sensor version these columns can show different information for sensors on the same policy.
Behavioral document protection modes and Signatures modes
The Cybereason platform takes different actions according to the Behavioral document protection mode and the Anti-Malware > Signatures mode.
Note
The Behavioral document protection mode cannot be more sensitive than the Signatures mode. For example, if Anti-Malware > Signatures mode is set to Detect, the Anti-Malware > Behavioral document protection mode can be set to Disabled or Detect, but not to Prevent or Quarantine.
The following table specifies which Behavioral document protection modes are allowed with each of the Signatures modes.
Signatures Mode |
Allowed Behavioral document protection mode |
---|---|
Disabled |
|
Detect |
|
Prevent |
|
Quarantine |
|
Disinfect |
|