Set the Rule-Based Behavioral Document Protection Modes

For availability of this feature, see Behavioral Document Protection availability by sensor version.

Use Behavioral Document Protection to detect integrated code in documents and either identify or block documents that contain malicious content, such as malicious macros.

Set the Behavioral document protection mode

To set the Behavioral document protection mode, select one of the following options under Anti-Malware > Behavioral document protection.

Behavioral document protection enabled

Mode

Description

When to use this setting

Disabled

Do not use Behavioral document protection to prevent malicious documents.

You want to collect data on static files that include malicious code, such as macros.

Detect

Detect integrated code in documents and identify documents with malicious content, such as malicious macros. Trigger MalOps with information on the malicious content that was detected.

Note

If Anti-Malware > Signatures mode is set to Disabled, the Cybereason platform collects document data as part of the Non-executable file data collection feature and triggers MalOps, evidences, and suspicions. For more information, see When do you use Behavioral Document Protection.

  • You want to identify static files that include malicious code, such as macros

  • You want to be aware of documents that include code (even non-malicious code) and use that data for investigation and hunting. For more information, see Behavioral Document Protection.

Prevent

Detect integrated code in documents and prevent documents from running malicious content, such as malicious macros. Trigger Malops with information on the malicious content that was prevented.

You want to identify and block static files that include malicious code, such as macros.

Quarantine

Detect integrated code in documents and quarantine documents with malicious content, such as malicious macros. Trigger Malops with information on the malicious content that was quarantined.

The Cybereason platform moves quarantined documents to the Quarantine folder. For more information, see Set Anti-Malware Signatures mode.

  • You want to quarantine static files that include malicious code, such as macros.

  • You want to be aware of documents that include code (even non-malicious code) and use that data for investigation and hunting. For more information, see Behavioral Document Protection.

Because of optimization algorithms, when you enable Behavioral document protection, Cybereason might not re-scan documents that Anti-Malware > Signatures classifies as benign until you restart Cybereason.

Set the Behavioral document protection sensitivity level

You can configure the level of sensitivity that the Behavioral document protection feature uses to handle suspicious code in documents. The sensitivity levels determine whether the Behavioral document protection feature is triggered and whether to detect, prevent, and generate MalOps for suspicious documents. This is different from the Behavioral document protection mode, which determines how to handle the suspicious document. For example, if the Behavioral document protection mode is set to Quarantine and the sensitivity level is set to Cautious:

  1. The Cybereason platform determines that the document includes integrated code with a very high level of certainty.

  2. Behavioral document protection is triggered, and the file is quarantined.

Note

Behavioral document protection generates evidences and suspicions as usual, regardless of the selected mode. For example, if you select Cautious mode and Behavioral document protection detects integrated code in a document, the Cybereason platform generates evidences and suspicions that can be used for visibility and analysis, without triggering MalOps on those events.

Select one of the following options:

Mode

Description

When to use this setting

Cautious

Detect, prevent, and trigger MalOps for only those documents that Cybereason determines are malware with a very high level of certainty. This is the setting with the lowest sensitivity.

You want to detect documents with integrated code, but want to avoid handling many false-positive results and multiple MalOps that report legitimate documents.

Moderate

Detect, prevent, and trigger MalOps for only those documents that Cybereason determines are malware with a high level of certainty.

You want to detect integrated code in documents, and can tolerate handling some false-positive results and some MalOps that report legitimate documents.

Aggressive

Detect, prevent, and trigger MalOps for any documents that Cybereason determines are likely to include integrated code. This is the setting with the highest sensitivity.

You want to detect documents with malicious code. You prefer to assess and analyze all false positives, as well as documents that are likely, but not certain, to be legitimate.

Add Behavioral document protection exclusions

You can exclude files or folders from Behavioral document protection scans in the following ways:

View Behavioral document protection modes in the Sensors screen

You can view endpoints’ Behavioral document protection modes and/or sensitivity levels for single endpoints or for groups of endpoints in the System > Sensors screen.

  • The Document protection status column shows the Behavioral document protection mode, specifying whether the feature is enabled, disabled, and so on.

  • The Document protection mode column shows the Behavioral document protection sensitivity level, specifying whether the sensitivity level is aggressive, cautious, and so on.

To display the Behavioral document protection modes or sensitivity level, select Columns to the right of the sensors table, and select the Document protection status column and/or the Document protection modes column.

Behavioral document protection - Sensors screen

The Behavioral document protection modes are visible in the sensors table.

Behavioral document protection - Sensors screen

The information in the Document protection status and Document protection modes columns is also used as metadata if you export the table to a CSV file.

Note

Sensors on versions earlier than 22.1.105 use Rule-Based Behavioral Document Protection. Sensors on version 22.1.105 and later use Behavioral Document Protection AI.

If a sensor policy contains sensors on versions earlier than 22.1.105 and also sensors on versions 22.1.105 and later, your Cybereason environment uses both Rule-Based Behavioral Document Protection and Behavioral Document Protection AI. The type of Behavioral Document Protection that the Cybereason platform uses is based on the sensor version.

The Document protection status column and the Document protection mode column show the mode and sensitivity level of a specific endpoint. Depending on the sensor version the Document protection status column and the Document protection mode column can show different information for sensors on the same policy.

Behavioral document protection modes and Signatures modes

The Cybereason platform takes different actions according to the Behavioral document protection mode and the Anti-Malware > Signatures mode.

Note

The Behavioral document protection mode cannot be more sensitive than the Signatures mode. For example, if Anti-Malware > Signatures mode is set to Detect, the Anti-Malware > Behavioral document protection mode can be set to Disabled or Detect, but not to Prevent or Quarantine.

The following table specifies which Behavioral document protection modes are allowed with each of the Signatures modes.

Signatures Mode

Allowed Behavioral document protection mode

Disabled

  • Disabled

  • Detect

Detect

  • Disabled

  • Detect

Prevent

  • Disabled

  • Detect

  • Prevent

Quarantine

  • Disabled

  • Detect

  • Prevent

  • Quarantine

Disinfect

  • Disabled

  • Detect

  • Prevent

  • Quarantine