Endpoint Machine Notifications and Desktop Settings
This section describes how the Cybereason platform sends notifications to endpoint machines and how to configure the notifications.
In this topic:
System tray icon and notifications
A Cybereason icon appears on the system tray of machines on which activity has been detected. This icon is displayed by default for all endpoints on which Cybereason is installed, regardless of which NGAV or EDR features are enabled or disabled on the endpoint.
The Cybereason system tray icon with full notifications functionality is supported on Windows endpoints. From version 23.2.14x, a simple system tray icon is displayed for macOS endpoints (in the future, this icon will also include notifications functionality).
For the system tray icon and notifications to appear, the end user machine must have .NET Framework 4.0 or higher enabled and have Windows Notifications enabled. For more information, see Configure Windows Notification Settings.
Notifications
The end user machine displays a popup notification when malware is detected. Notifications also appear in the Windows Action Center.
Note
The color of the Cybereason icon has been changed to white. In previous versions, the icon is blue.
The following statuses are possible:
Status |
Meaning |
---|---|
A malicious file was quarantined from this path |
An analyst selected the Quarantine file remediation action for this endpoint machine, and a file under the specified path was quarantined. |
A malicious process was terminated |
An analyst selected the Kill active processes remediation action for this endpoint machine (the machine on which the notification is triggered). |
A malicious registry key was deleted |
An analyst selected the Remove a registry entry remediation action for this endpoint machine (the machine on which the notification is triggered). |
A quarantined file was restored under this path |
An analyst selected the Unquarantine file remediation action for this endpoint machine, and a file was restored under the specified path. |
API invocation |
Exploit protection detected an attempt to breach the API invocation mitigation. |
Binary loading |
Exploit protection detected an attempt to breach the binary loading mitigation. |
Can’t update now. Please try again later. |
User clicked to update, but Anti-Malware > Signatures update failed. |
Child process creation |
Exploit protection detected an attempt to breach the child process creation mitigation. |
Cybereason protection is being installed |
A first update of the Anti-Malware > Signatures database is in progress. |
Detection only |
Anti-Malware > Signatures is set to Detect mode. |
Download and execute |
The Cybereason platform detected an attempt to execute a downloaded payload. |
Dynamic code generation |
Exploit protection detected an attempt to breach the dynamic code generation mitigation. |
Exploit attempt detected |
Exploit protection detected an exploit attempt. |
Exploit attempt prevented |
Exploit protection detected and prevented an exploit attempt. |
Export address |
Exploit protection detected an attempt to breach the export address filtering mitigation. |
Heap spray |
Exploit protection detected an attempt to breach the heap spray mitigation. |
Import address |
Exploit protection detected an attempt to breach the import address filtering mitigation. |
Malicious download |
The Cybereason platform detected an attempt to launch malicious ‘Downloads’ commands. |
Malicious file was detected |
Anti-Malware detected a malicious file. |
Malware was quarantined |
Anti-Malware quarantined a malicious file. |
Malicious payload detected |
The Cybereason platform detected and blocked a malicious payload. |
Malicious PowerShell command was blocked |
The Cybereason platform detected and blocked a malicious PowerShell command. |
Malware was blocked |
Anti-Malware blocked a malicious file. |
Malware was detected and disinfected |
Anti-Malware detected and disinfected a malicious file. |
Malware was detected |
Anti-Malware detected a malicious file. |
.NET Malicious floating module |
The Cybereason platform detected a malicious floating module. |
PowerShell attack was blocked |
The Cybereason platform detected and blocked a PowerShell attack. |
PowerShell attack was detected |
The Cybereason platform detected a PowerShell attack. |
Ransomware was detected |
The Cybereason platform detected a malicious process that indicates a ransomware attack. |
Simulate execution |
Exploit protection detected an attempt to breach the simulate execution mitigation. |
Stack integrity |
Exploit protection detected an attempt to breach the stack integrity mitigation. |
System call |
Exploit protection detected an attempt to breach the system call mitigation. |
System is currently performing an update |
Anti-Malware > Signatures is currently downloading an update. |
Update is on the way |
User clicked to update. Anti-Malware > Signatures update is now in progress. |
USB device was blocked |
The Cybereason platform blocked a removable storage device on the endpoint machine (the Endpoint controls > Device control option is enabled on the policy assigned to this endpoint machine). |
Your machine is no longer isolated. |
An analyst selected the Stop isolating remediation action for this endpoint machine. |
Your machine was isolated for security purposes. Contact your IT team. |
An analyst selected the Isolate machine remediation action for this endpoint machine (the machine on which the notification is triggered). |
Your PC is protected |
Anti-Malware > Signatures is enabled and is set to Disinfect mode. |
On the machine, the machine user can optionally perform a manual Anti-Malware signature database update in the System tray icon by clicking Update. This is not usually necessary, as by default, signatures are updated every 15 minutes.
System tray icon - Signatures scan actions and details
The machine user can right-click the Cybereason icon to perform updates or Anti-Malware Signatures scans, or to view the Anti-Malware Signatures status and installation details. For more information on types of Signatures scans, see How does signature-based analysis work?.
When a machine user right-clicks the Cybereason icon, the following options are visible:
Option |
Description |
---|---|
Update |
Instructs the Cybereason platform to immediately trigger an update of the Anti-Malware signature database. |
Quick scan |
Runs a quick scan. For more information on types of scans, see Configure scan properties. |
Full scan |
Runs a full scan. For more information on types of scans, see Configure scan properties. |
Stop scan |
Stops a scan that is currently running. This action is only visible when a scan is in progress. |
Note
If a user attempts to click Quick scan or Full scan while a scan is running, one of the following notifications appears in the system tray: “The Cybereason platform is running a quick scan” or “The Cybereason platform is running a full scan”.
Details related to the Anti-Malware Signatures mode feature are visible below the actions. Details include:
Field |
Description |
---|---|
Connection Status |
The connection status of the sensor with the Cybereason server (from version 23.1.152 and higher). |
Status |
The Anti-Malware > Signatures mode status. For example, this indicates whether the feature is being installed or whether a scan is running. |
Last update |
The time of the last Anti-Malware signature database update. |
Last full scan |
The time of the last full scan. |
Last quick scan |
The time of the last quick scan. |
Signature DB version |
The version of the Signatures database. |
Version |
The Cybereason sensor version (from version 23.1.152 and higher). |
Configure end user desktop settings
You can configure end user UI settings to show/hide the system tray icon and notifications on end user machines.
Administrators can configure the following settings when creating or editing policies:
Show/hide the system tray icon.
Show or hide notifications of activity for different NGAV features.
This enables SOC teams to notify end users when remediation actions are performed on their machine.
Enable notifications
To help deliver notifications, the Cybereason sensors use the system tray icon. Before you can deliver specific notifications, you must enable the system tray icon:
In your sensor policy, navigate to the Endpoint UI Settings screen.
In the Endpoint UI Settings screen, find the System tray icon section and set the toggle to Show.
Note
Presently, even if you set this option to Hide, if your Cybereason environment uses Exploit protection, end users still receive desktop notifications about detected exploit attempts.
Select notification types
After you enable the system tray icon, you can select the different types of notifications to share with the endpoint machine user.
To set notification types, follow these steps:
In your sensor policy, navigate to the Endpoint UI Settings, and then navigate to the Notifications section.
Select the items for which to notify end users:
Signatures AV
Artificial intelligence
PowerShell
Ransomware
Remediation actions
For each option, select All alerts.
The notifications display notable actions that the Cybereason platform performs, including prevention and remediation actions.
Note
Selecting or deselecting Prevention only and Alerts does not affect Remediation action notifications.
The default settings are displayed in the image below: