Supported Features by Operating System
The following sections list the operating system support for various Cybereason platform features.
In this topic:
Endpoint machine prevention features
With prevention features, the Cybereason platform takes action against specific threats automatically. These features are supported in the operating systems noted below:
Feature |
Category |
Windows |
Mac |
Linux |
|---|---|---|---|---|
Anti-Malware |
Signature-based analysis |
✓ |
✓ |
✓ |
Anti-Malware |
Artificial Intelligence analysis |
✓ Not supported on endpoints with CSV (Cluster Shared Volume) file systems |
||
Anti-Malware |
Scheduled scans (full/quick) |
✓ |
✓ |
|
Anti-Malware |
On-file access scans |
✓ |
✓ |
✓ Not supported for RHEL 6/CentOS 6/Oracle Linux 6 |
Anti-Ransomware |
Anti-Ransomware |
✓ |
||
Application Control |
Application Control |
✓ Not supported on endpoints with CSV (Cluster Shared Volume) file systems |
||
Application Control |
SHA-1/SHA-256 hash-based prevention |
✓ |
||
Behavioral document protection |
Rule-based behavioral document protection |
✓ |
||
Behavioral document protection |
AI-based behavioral document protection |
✓ |
||
Behavioral execution prevention |
Behavioral execution prevention rules |
✓ |
||
Behavioral execution prevention |
Variant payload protection |
✓,,✓ Windows 10 RS2 and later |
||
Behavioral execution prevention |
Variant file prevention |
✓ |
||
Endpoint Controls |
Device Control |
✓ |
✓ USB Devices only |
✓ |
Endpoint Controls |
Personal firewall control |
✓ |
✓ |
|
Endpoint controls |
Full disk encryption visibility |
✓ |
||
Exploit Protection |
Exploit Protection |
✓ If you are using a version of Windows that does not include Exploit Guard (versions earlier than Windows 10 Fall Creators Update or RS3), EMET 5.5 is required for Exploit protection to work. If EMET is not installed, we recommend to upgrade to the latest Windows version, because Windows no longer officially supports EMET. |
||
Fileless protection |
Fileless protection |
✓ |
||
Fileless protection |
Anti-Malware Scan Interface (AMSI)-based protection |
✓ Windows 10 and later |
||
Predictive Ransomware Protection |
✓ |
Endpoint machine data collection features
Cybereason sensors collect data about the events and operations that occur on each endpoint throghout your organization to help identify patterns of malicious behavior.
The Cybereason platform supports the following features in the operating systems detailed below:
Feature |
Category |
Windows |
macOS |
Linux |
|---|---|---|---|---|
Active Directory |
Active Directory data |
✓ |
||
Connection |
Long-lived connection |
✓ |
✓ |
✓ On Linux sensors, this connection type does not include rx/tx bytes. |
Connection |
Short-lived connection |
✓ |
✓ Not supported on CentOS 6, RHEL 6, Oracle Linux 6, SLES 12, Debian 8/9, or Amazon Linux AMI 2017.03. |
|
Connection |
TCP |
✓ |
✓ |
✓ |
Connection |
UDP |
✓ |
||
Domain request and response |
Domain request and response details |
✓ |
✓ Version 23.2.87 and later |
✓ For Linux sensors, domain request and response requires libpcap version 1.0 or higher, and Linux kernel version 2.6.32-358 or higher. |
Drivers |
Drivers installed on machine |
✓ |
✓ |
✓ Not supported on CentOS 6, RHEL 6, Oracle Linux 6, SLES 12, Debian 8/9, Amazon Linux AMI 2017.03. |
File |
Download source info |
✓ |
||
File |
MD5, SHA-1, and SHA-256 file hashes |
✓ |
✓ |
✓ |
File |
Icon collection |
✓ |
✓ |
|
File |
Metadata for non-exe files |
✓ |
||
File |
File properties |
✓ |
✓ |
✓ |
File |
File signatures |
✓ |
✓ |
✓ |
File events |
✓ Not recommended for use on server machines. |
✓ |
||
Hosts file |
Host file details |
✓ |
||
Logon session |
Logon session details |
✓ |
✓ |
✓ |
Machine |
Machine information |
✓ |
✓ |
✓ |
Modules |
Floating modules |
✓ |
||
Modules |
Long-lived modules |
✓ |
||
Modules |
Short-lived modules |
✓ |
||
Mount Point |
Mount point details |
✓ |
✓ |
✓ |
Network interface |
Network interface details |
✓ |
✓ |
✓ |
Process |
Process aggregation |
✓ |
||
Process |
Code Injection |
✓ |
||
Process |
Long-lived processes |
✓ |
✓ |
✓ |
Process |
Short-lived processes |
✓ |
✓ |
✓ |
Proxy |
Proxies configured on machine |
✓ |
✓ |
|
Registry |
Registry entries |
✓ |
||
Registry Events |
Registry event details |
✓ |
||
Remote Logon Sessions |
Remote logon session details |
✓ |
✓ |
✓ |
Scheduled Task |
Scheduled task details |
✓ |
✓ Scheduled tasks are displayed as part of services. |
|
Services |
Service details and properties |
✓ |
✓ |
✓ Services are not collected on CentOS 6 and Ubuntu 14. |
User |
User account details |
✓ |
✓ |
✓ |
WMI activity |
WMI activity details |
✓ |
||
WMI persistent objects |
WMI persistent object details |
✓ |
Response features
With response features, the Cybereason platform identifies a threat, and then you specify an action for the Cybereason platform to take. For example, you might instruct the Cybereason platform to isolate a machine or kill a process.
The Cybereason platform’s response actions fall into multiple categories:
MalOp response: Using the capabilities of the Cybereason platform’s EDR module, these actions enable you to address threats immediately. When the Cybereason platform detects a potentially malicious operation, the platform generates a MalOp. In the MalOp, you view, understand, and analyze the activities associated with the MalOp and respond accordingly to stop potential problems.
Digital Forensics and Incident Response (DFIR): Using the Cybereason platform’s DFIR module, you can supplemenet the native response abilities of the Cybereason platform. These features help you automatically deploy and run incident response and forensic data ingestion tools using the Cybereason platform.
The Cybereason platform supports the following features in the operating systems detailed below:
Feature |
Category |
Windows |
Mac |
Linux |
|---|---|---|---|---|
DFIR |
Manage incident response (IR) tools |
✓ |
✓ |
|
DFIR |
Browse files from the Element Details screen |
✓ |
||
DFIR |
Download files from the Element Details screen |
✓ |
✓ |
✓ |
DFIR |
Live File search |
✓ |
✓ |
|
DFIR |
Live File search with YARA rules |
✓ |
||
Machine isolation |
Isolate machine |
✓ |
✓ |
✓ Not supported on SLES and CentOS 6 |
Machine isolation |
Customize the queue period |
✓ |
✓ |
✓ |
Machine isolation |
Machine isolation exception rules |
✓ |
✓ |
✓ |
Machine isolation |
Machine isolation exceptin rules for IP range |
✓ |
✓ |
✓ |
Remediation actions |
Kill process |
✓ |
✓ |
✓ |
Remediation actions |
Quarantine file |
✓ |
✓ Not supported for DMG files and files downloaded from the Internet on OSX operating systems. |
✓ |
Remediation actions |
Unquarantine file |
✓ |
||
Remediation actions |
Add unquarantine file to allowlist |
✓ |
||
Remediation actions |
Download quarantined file |
✓ |
||
Remediation actions |
Remove registry entries |
✓ |
||
Remediation actions |
Suspend/unsuspend ransomware |
✓ |
||
Remediation actions |
Prevent a file’s execution |
✓ |
||
Remote Shell |
Restricted mode |
✓ |
✓ |
✓ |
Remote Shell |
Unrestricted mode |
✓ |
✓ |
✓ |
Remote Shell |
Sensor group access |
✓ |
✓ |
✓ |
Sensor platform features
The Cybereason platform supports the following sensor features on the operating systems listed below:
Feature |
Windows |
Mac |
Linux |
|
|---|---|---|---|---|
Data collection continues when the sensor is disconnected |
✓ |
✓ |
✓ |
|
Decommission sensors |
✓ |
✓ |
✓ |
|
Digital signing for the sensor file |
✓ |
✓ |
✓ |
|
eBPF framework for process collection |
✓ In versions 23.2.65 and later |
|||
ESF framework for process collection |
✓ |
|||
Endpoint Management Channel |
✓ |
✓ (Authenticated URL feature: Big Sur and higher) |
✓ |
|
Exclusion obfuscation in logs |
✓ |
✓ |
✓ |
|
Scaled sensor upgrade process |
✓2 |
|||
Process collection from the drive |
✓ Versions 23.2.65 and later |
|||
Proxy connection for sensor - auto-detect proxy |
✓ |
✓ |
✓ |
|
Proxy connection for sensor - manual assignment |
✓ |
✓ |
✓ |
|
Proxy connection for sensor - use PAC file or server |
✓ |
✓ |
||
Quarantine file cleanup |
✓ |
✓ |
||
Registration server for sensor assignment to Detection servers |
✓ |
✓ |
✓ |
|
Restart sensor |
✓ |
✓ |
✓ |
|
Sensor binary files with the Sectigo certificate |
✓ |
|||
Sensor works in Safe mode |
✓ |
✓ |
✓ |
|
Sensor installation for sensor groups |
✓ |
✓ |
✓ |
|
Sensor tampering protection |
✓ |
|||
Start/stop sensor |
✓ |
✓ |
✓ |
|
Uninstall sensors from the Sensors screen |
✓ |
|||
Uninstall password |
✓ Not on Windows 8 |
|||
Uninstall sensors from file |
✓ |
|||
Upgrade sensor |
✓ |
✓ |
✓ |
|
Upgrade sensor - prerequisite checks |
✓ |