Set the Exploit Protection Modes
You configure Exploit Protection settings in a sensor policy. From the settings in the sensor policy, you view and closely examine blocked exploit attempts, and investigate the data.
For supported operating systems, see Endpoint machine prevention features.
In this topic:
Select the Exploit protection mode
Note
If you are using a version of Windows that does not include Exploit Guard (versions earlier than Windows 10 Fall Creators Update or RS3), EMET 5.5 is required for Exploit protection to work. If EMET is not installed, we recommend to upgrade to the latest Windows version, because Windows no longer officially supports EMET. If you are using Exploit Guard on Windows 10 Fall Creators Update (RS3) and later versions, EMET is not required.
To set the Exploit protection mode, follow these steps:
In your sensor policy, navigate to the Exploit protection screen.
In the Exploit protection screen, set the Exploit Protection toggle to On.
Select an Exploit protection mode:
Mode
Description
Considerations
Cautious - default
Note
Cautious is the default mode in version 21.2.103 and later. In earlier versions, the default mode was Existing endpoint configuration.
Exploit protection is enabled using configuration defined by Cybereason according to standard security baselines.
Cybereason recommends that you select this mode when your organization begins to use the Exploit protection feature.
Aggressive
Exploit protection is enabled using more aggressive security options, defined according to the Cybereason security baselines.
While this is the most secure option, this option might affect and in some cases block legitimate applications and processes. Cybereason recommends that you evaluate potential issues before you select a mode.
Disabled
The Exploit protection toggle in the System > Policies Management > Exploit protection screen is turned off. In this mode, the Cybereason platform does not modify any mitigations and does not display blocked exploit attempts in the Cybereason UI.
Analyze blocked exploit attempts
With Exploit protection, analysts can drill down into blocked exploit attempts and investigate the data.
When the Cybereason platform blocks an exploit attempt, the Cybereason platform triggers a Malicious exploit attempt Endpoint Protection MalOp with the Prevented status, in two main scenarios:
Exploit protection prevents an exploit attempt.
The operating system prevents an exploit attempt, based on a system mitigation or a mitigation that was dynamically applied to a process using the Windows API. While the Cybereason platform does not modify the mitigations, and does not affect the configuration applied to processes, these mitigations trigger MalOps.
Important
It is currently not possible to hide MalOps that apply to exploit attempts blocked by the operating system, as described in scenario 2. This capability will be added in future versions.
Example - blocked exploit analysis
In this example, the MalOp details indicate that an exploit attempt on the visio.exe process took place, and presents additional details, such as the affected machine (win10-cohen), the root cause (Malicious exploit attempt), and more.
Click the Processes tab of the MalOp details to drill down into additional information, such as the relevant Evidences and Suspicions. In this example, an Evidence and Suspicion of type Exploit attempt are visible, including the text “An exploit attempt against this process was prevented”.
View Exploit protection modes in the Sensors screen
You can view the Exploit protection modes for single sensors or for groups of sensors in the Sensors screen.
To display the Exploit protection modes, select Columns to the right of the sensors table, and select the Exploit protection modes column.
The Exploit protection modes are visible in the sensors table.
