Testing Threats after Updates to Dell Endpoint Security Suite Enterprise Advanced Threat Protection detection method

Affected Products:

• Dell Endpoint Security Suite Enterprise
• Dell Threat Defense

Affected Versions

• 1371
• 1391
• 1.0.1
• 1.2
• 1.2.1392
• 2.0.1451
• 2.0.1452

Not Applicable

Dell Technologies recommends users set their Agent Update to Auto-Update to get the latest features, enhancements, and bug fixes the product has to offer.

When an organization wants to test a new agent or new model update before it is deployed to all their devices, the Agent Update setting can be changed. This enables organizations to manually deploy new agent updates to test devices and review the results before updating the rest of their devices in their organization.

When testing new agent or new model updates, use devices or virtual machines that represent computers in your organization, using software that runs in your environment. Especially any custom-made software that is unique to your organization.

Deployment Procedures

File Size

Agent updates that do not include a new threat model only include the files that the Agent needs. On average, this is roughly 5 MB per agent version. Agent updates that contain a new threat model are roughly 350 MB. If you manually deploy Agents, a package is available from Dell Support.

Simultaneous Device Updates

The number of simultaneous device updates is limited to 1000 devices at a time by default. This can be raised and lowered based on the needs of the environment. This is only possible to be done through Dell support. Reference the contact information at the bottom of this KB article for contact information.

Reviewing Results:

For New Agent Updates:

Check the Device Details page for each test computer, looking for items that are marked as Abnormal or Unsafe.

1. Log in to the Dell Data Protection Remote Management Console.
2. Select Enterprise, then click Advanced Threats, then select Agents. The Agent Details page displays.
3. Click a device name from the Device List. The Device Details page displays.
4. Look under Threats & Activities, review any items that are listed under Threats, Exploit Attempts, and Script Control (if enabled).
5. For items that are considered Abnormal or Unsafe but should be allowed to run, you have a few options:
   • If the item should be allowed to run on all devices, then add it to the Global Safe List.
   • If the item should be allowed to run on a group of devices, but not all devices, then add it to a Policy Safe List.
   • If the item should be allowed to run on a single device, then Waive it for that device.

For New Model Updates:

Use the Production Status and New Status columns on the Protection page to review changes between the existing model and the new model. This provides information about any Cylance Score changes to items in your organization.

1. Log in to the Dell Data Protection remote Management Console.
2. Select Protection, then add the Classification, Production Status, and New Status columns.
3. Look for changes between the Product Status and New Status columns. If any changes would impact your organization, you can either Safelist or Quarantine the item at the level that makes sense (Global, Policy, or Local).

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.