Dell Recommended Policies for Dell Endpoint Security Suite Enterprise Advanced Threat Protection and Prevention

Advanced Threat Prevention (Primary Switch)

On

This policy value determines whether the clients can consume policies for Advanced Threat Prevention.

This also enables file actions and execution control, which cannot be disabled.

Execution control encompasses background Threat Detection and File Watcher. This module within ATP analyzes and abstracts the intentions of a Portable Executable (PE) based on its intended actions and behavior. All files detected by Execution Control, and along with BTD and File Watcher, are processed based on the policies that correlate to Auto-Quarantine. These actions are performed based on the absolute path location of the Portable Executable.

File Actions:

Unsafe Executable Auto Quarantine With Executable Control Enabled

Unsafe Executable Auto Upload Enabled

Enabled

Sets whether severe threats are uploaded to the cloud to perform a second-opinion check on these threats.

Abnormal Executable Auto Quarantine With Executable Control Enabled

Disabled

This determines whether files that are considered a potential threat are automatically quarantined.

Abnormal Executable Auto Upload Enabled

Enabled

Sets whether potential threats are uploaded to the cloud to perform a second-opinion check on these threats.

Allow Execution of Files in Exclude Folders

Enabled

This applies to the Policy Exclude Specific Folders within the Protection Settings policy group. This allows executables within the Excluded folders to run even if they are automatically quarantined.

Auto Delete

Disabled

This enables the timer on the Days until Deleted policy. This applies to quarantined items, once the Days until Deleted elapses, any threats within a quarantine folder are automatically removed if this policy is enabled.

Days until Deleted

14

This determines the number of days, per threat, that an item remains in the local quarantine folder.

Memory Actions

Memory Protection Enabled

Enabled

This enables the Memory Protection functionality Memory protection’s module analyzes and interprets the intentions of running applications by monitoring the interactions between applications and the operating system in memory.

Enable Exclude executable files

Enabled

This allows for specific executables to be excluded from Memory Protection.

Exclude executable files

Blank

All exclusions added must be specified using the relative path of that executable file (exclude the drive letter from the path).

Correct (OS X):
/Users/application.app/executable
Correct (Windows):
\Application\SubFolder\application.exe
Incorrect:
C:\Application\SubFolder\application.exe
Incorrect:
\Application\SubFolder\

Exploitation: Stack Pivot

Alert

The stack for a thread has been replaced with a different stack. Generally, the computer allocates a single stack for a thread. An attacker would use a different stack to control execution in a way that Data Execution Prevention (DEP) cannot block.

Applies to: Windows, Mac

Exploitation: Stack Protect

Alert

The memory protection of a thread's stack has been modified to enable execution permission. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code that is stored in stack memory as part of an exploit, an attempt which Data Execution Prevention (DEP) would otherwise block.

Applies to: Windows, Mac

Exploitation: Overwrite Code

Alert

Code residing in a process's memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP).

Applies to: Windows

Exploitation: Scanner Memory Search

Alert

A process is trying to read valid magnetic stripe track data from another process. Typically related to point-of-sale computers (POS)

Applies to: Windows

Exploitation: Malicious Payload

Alert

A process is trying to read valid magnetic stripe track data from another process. Typically related to point-of-sale computers (POS)

Applies to: Windows

Exploitation: Malicious Payload

Alert

A generic shellcode and payload detection that is associated with exploitation has been detected.

Applies to: Windows

Process Injection: Remote Allocation of Memory

Alert

A process has allocated memory in another process. Most allocations only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a computer.

Applies to: Windows, Mac

Process Injection: Remote Mapping of Memory

Alert

A process has introduced code or data into another process. This may indicate an attempt to begin running code in another process and reinforce a malicious presence.

Applies to: Windows, Mac

Process Injection: Remote Write to Memory

Alert

A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutofProcessAllocation), but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose.

Applies to: Windows, Mac

Process Injection: Remote Write PE to Memory

Alert

A process has modified memory in another process to contain an executable image. Generally, this indicates that an attacker is attempting to run code without first writing that code to disk.

Applies to: Windows, Mac

Process Injection: Remote Overwrite Code

Alert

A process has modified executable memory in another process. Under normal conditions executable memory is not modified, especially by another process. This usually indicates an attempt to divert execution in another process.

Applies to: Windows, Mac

Process Injection: Remote Unmap of Memory

Alert

A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for diverting execution.

Applies to: Windows, Mac

Process Injection: Remote Thread Creation

Alert

A process has created a thread in another process. An attacker uses this to activate a malicious presence that has been injected into another process.

Applies to: Windows, Mac

Process Injection: Remote APC Scheduled

Alert

A process has diverted the execution of another process's thread. An attacker uses this to activate a malicious presence that has been injected into another process.

Applies to: Windows

Process Injection: DYLD Injection (Mac OS X only)

Alert

An environment variable has been set that causes a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts that cause their modules to be loaded automatically when an application starts.

Applies to: Mac

Escalation: LSASS Read

Alert

Memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords.

Applies to: Windows

Escalation: Zero Allocate

Alert

A null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploits, typically in the kernel.

Applies to: Windows, Mac

Execution Control

Prevent Service Shutdown from Device

Disabled

When Enabled prevents the ability to stop the ATP service. This also prevents the application from being uninstalled.

Kill Unsafe Running Process and Sub-Processes

Disabled

Enabling this feature allows for the detection and termination of any memory-based threat that spawns sub-processes.

Background Threat Detection

Run Once

This determines if a scan of existing files is run on the device. This can be set to Disabled, Run Once, or Run Recurring.

If Watch For New Files is enabled, it is recommended to configure Background Threat Detection to Run Once. You must check existing files one time only if you are also watching for new and updated files.

Watch For New Files

Enabled

Setting this to Enabled allows the detection and analysis of any files that are newly written to the device or that are changed.

Set Maximum Archive File Size to Scan

150

Configures the maximum decompressed archive size that can be analyzed Size is in megabytes.

Defines a list of folders in File Watcher that are not being monitored, the policy of Allow Execution of Files in Exclude Folders prevents the quarantine of any files run from these directories. This policy prevents the scanning of these directories by Watch for New Files or Background Threat Detection.

All exclusions added must be specified using the absolute path of that executable file (include the drive letter from the path).

Correct (OS X):
/Mac\ HD/Users/Application\ Support/Dell
Correct (Windows):
C:\Program Files\Dell\
Incorrect:
\Program Files\Dell\
Incorrect:
C:\Program Files\Dell\Executable.exe

This defines a list of folders in application control that are not monitored.

All exclusions added must be specified using the absolute path of that executable file (include the drive letter from the path).

Correct (OS X):
/Mac\ HD/Users/Application\ Support/Dell
Correct (Windows):
C:\Program Files\Dell\
Incorrect:
\Program Files\Dell\
Incorrect:
C:\Program Files\Dell\Executable.exe

Enables the use of Script Control

Script Control monitors applications and services that can run actions within the operating system. These applications are commonly called interpreters. ATP monitors these applications and services for any scripts that attempt to run and, based on policies, either notifies of their action having been taken or blocks the actions from occurring. These decisions are made based on the script name and the relative path where the script was run.

When set to Block, no script-based items run. This includes any active script, macro-based script, or PowerShell-based script. In later versions, these are separated into their own policies.

Applies to: 1.2.1371 and earlier builds of ESSE

When set to Block, this disables the ability to run JavaScript, VBscript, batch, Python, Perl, PHP, Ruby, and many other scripts.

Applies to: 1.2.1391 and later builds of ESSE.

Setting this to Alert enables the analysis of Macros within documents to determine if they are running potentially malicious commands. If a threat is perceived, the Block setting prevents the macro from running. Macros that run on launch may prevent the application from loading.

Applies to: 1.2.1391 and later builds of ESSE.

When set to Block, this prevents any PowerShell-based scripts from running in the environment.

Applies to: 1.2.1391 and later builds of ESSE.

When set to Block, this prevents the PowerShell V3 console and ISE from launching.

Applies to: 1.2.1391 and later builds of ESSE.

This section details the folders in Script Control that are not monitored.

• Folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path.
• Script folder exclusions must specify the relative path of the folder or sub-folder.
• Any specified folder path also includes any sub-folders.
• Wildcards are not supported.

Correct (Mac):
/Mac\ HD/Users/Cases/ScriptsAllowed
Correct (Windows):
\Cases\ScriptsAllowed.
Incorrect:
C:\Application\SubFolder\application.vbs
Incorrect:
\Program Files\Dell\application.vbs

This policy leverages by disconnected mode for ESSE. This allows customers to have an environment entirely separated from the internet.

This policy determines specific threat paths and certificates that should be allowed within the environment.

This policy leverages by disconnected mode for ESSE. This allows customers to have an environment entirely separated from the internet.

This is a defined list of known bad hashes that is automatically quarantined when encountered by the agent.

This policy leverages by disconnected mode for ESSE. This allows customers to have an environment entirely separated from the internet.

This policy determines specific threat hashes that should be allowed within the environment.

This Defines what is notified to the end user if the policy Suppress Popup Notifications is disabled.

High

• Protection status has changed. (Protected means that the Advanced Threat Prevention service is running and protecting the computer and needs no user or administrator interaction.)
• A threat is detected, and policy is not set to automatically address the threat.

Medium

• Execution Control blocked a process from starting because it was detected as a threat.
• A threat is detected that has an associated mitigation (for example, the threat was manually quarantined), so the process has been terminated.
• A process was blocked or terminated due to a memory violation.
• A memory violation was detected and no automatic mitigation policy is in effect for that violation type.

Low

• A file that was identified as a threat, has been added to the Global Safe List or deleted from the file system.
• A threat has been detected and automatically quarantined.
• A file has been identified as a threat but waived on the computer.
• The status of a current threat has changed. For example, Threat to Quarantined, Quarantined to Waived, or Waived to Quarantined.

Advanced Threat Prevention (Primary Switch)

On

This policy value determines whether the clients can consume policies for Advanced Threat Prevention.

This also enables File Actions and Execution Control, which cannot be disabled.

Execution control encompasses Background Threat Detection and File Watcher. This module within ATP analyzes and abstracts the intentions of a Portable Executable (PE) based on its intended actions and behavior. All files detected by Execution Control, and BTD and File Watcher, are processed based on the policies that correlate to Auto-Quarantine. These actions are performed based on the absolute path location of the Portable Executable.

File Actions:

Unsafe Executable Auto Quarantine With Executable Control Enabled

Unsafe Executable Auto Upload Enabled

Enabled

Sets whether severe threats are uploaded to the cloud to perform a second-opinion check on these threats.

Abnormal Executable Auto Quarantine With Executable Control Enabled

Enabled

This determines whether files that are considered a potential threat are automatically quarantined.

Abnormal Executable Auto Upload Enabled

Enabled

Sets whether potential threats are uploaded to the cloud to perform a second-opinion check on these threats.

Allow Execution of Files in Exclude Folders

Enabled

This applies to the policy Exclude Specific Folders within the Protection Settings policy group. This allows executables within the Excluded folders to run even if they are automatically quarantined.

Auto Delete

Enabled

This enables the timer on the days until deleted policy, this applies to quarantined items, as well. Once the days until deleted elapses, any threats within a quarantine folder are automatically removed if this policy is enabled.

Days until Deleted

14

Determines the number of days, per threat, that an item remains in the local quarantine folder.

Memory Actions

Memory Protection Enabled

Enabled

This enables the Memory Protection functionality, memory protection’s module analyzes, and interprets the intentions of running applications by monitoring the interactions between applications and the operating system in memory.

Enable Exclude executable files

Enabled

This allows for specific executables to be excluded from Memory Protection.

Exclude executable files

Varies based on the environment

All exclusions added must be specified using the relative path of that executable file (exclude the drive letter from the path).

Correct (OS X):
/Users/application.app/executable
Correct (Windows):
\Application\SubFolder\application.exe
Incorrect:
C:\Application\SubFolder\application.exe
Incorrect:
\Application\SubFolder\

Exploitation: Stack Pivot

Terminate

The stack for a thread has been replaced with a different stack. Generally, the computer only allocates a single stack for a thread. An attacker would use a different stack to control execution in a way that Data Execution Prevention (DEP) does not block.

Applies to: Windows, Mac

Exploitation: Stack Protect

Terminate

The memory protection of a thread's stack has been modified to enable execution permission. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code that is stored in stack memory as part of an exploit, an attempt which Data Execution Prevention (DEP) would otherwise not block.

Applies to: Windows, Mac

Exploitation: Overwrite Code

Terminate

Code residing in a process's memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP).

Applies to: Windows

Exploitation: Scanner Memory Search

Terminate

A process is trying to read valid magnetic stripe track data from another process, typically related to point-of-sale computers (POS).

Applies to: Windows

Exploitation: Malicious Payload

Terminate

A generic shellcode and payload detection that is associated with exploitation has been detected.

Applies to: Windows

Process Injection: Remote Allocation of Memory

Terminate

A process has allocated memory in another process. Most allocations only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a computer.

Applies to: Windows, Mac

Process Injection: Remote Mapping of Memory

Terminate

A process has introduced code or data into another process. This may indicate an attempt to begin running code in another process and reinforce a malicious presence.

Applies to: Windows, Mac

Process Injection: Remote Write to Memory

Terminate

A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation), but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose.

Applies to: Windows, Mac

Process Injection: Remote Write PE to Memory

Terminate

A process has modified memory in another process to contain an executable image. Generally this indicates that an attacker is attempting to run code without first writing that code to disk.

Applies to: Windows, Mac

Process Injection: Remote Overwrite Code

Terminate

A process has modified executable memory in another process. Under normal conditions executable memory is not modified, especially by another process. This usually indicates an attempt to divert execution in another process.

Applies to: Windows, Mac

Process Injection: Remote Unmap of Memory

Terminate

A process has removed a Windows executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for diverting execution.

Applies to: Windows, Mac

Process Injection: Remote Thread Creation

Terminate

A process has created a thread in another process. An attacker uses this to activate a malicious presence that has been injected into another process.

Applies to: Windows, Mac

Process Injection: Remote APC Scheduled

Terminate

A process has diverted the execution of another process's thread. An attacker uses this to activate a malicious presence that has been injected into another process.

Applies to: Windows

Process Injection: DYLD Injection (Mac OS X only)

Terminate

An environment variable has been set that causes a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts that cause their modules to be loaded automatically when an application starts.

Applies to: Mac

Escalation: LSASS Read

Terminate

Memory belonging to the Windows Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords.

Applies to: Windows

Escalation: Zero Allocate

Terminate

A null page has been allocated. The memory region is typically reserved, but in certain circumstances it can be allocated. Attacks can use this to set up privilege escalation by taking advantage of some known null de-reference exploits, typically in the kernel.

Applies to: Windows, Mac

Execution Control

Prevent Service Shutdown from Device

Enabled

When Enabled prevents the ability to stop the ATP service, even as computer. This also prevents the application from being uninstalled.

Kill Unsafe Running Process and Sub-Processes

Enabled

Enabling this feature allows for the detection and termination of any memory-based threat that spawns sub-processes.

Background Threat Detection

Run Once

This determines if a scan of existing files is run on the device. This can be set to Disabled, Run Once, or Run Recurring.

If Watch For New Files is enabled, it is recommended to configure Background Threat Detection to Run Once. You must check existing files one time only if you are also watching for new and updated files.

Watch For New Files

Enabled

Setting this to Enabled allows the detection and analysis of any files that are newly written to the device or that are changed.

Set Maximum Archive File Size to Scan

150

Configures the maximum decompressed archive size that can be analyzed Size is in megabytes.

This defines a list of folders in File Watcher that are not monitored. This policy of Allow Execution of Files in Exclude Folders prevents the quarantine of any files that are run from these directories. This policy prevents the scanning of these directories by Watch for New Files or Background Threat Detection.

All exclusions added must be specified using the Absolute path of that executable file (include the drive letter from the path).

Correct (OS X):
/Mac\ HD/Users/Application\ Support/Dell
Correct (Windows):
C:\Program Files\Dell\
Incorrect:
\Program Files\Dell\
Incorrect:
C:\Program Files\Dell\Executable.exe

This defines a list of folders in application control that are not monitored.

All exclusions added must be specified using the Absolute path of that executable file (include the drive letter from the path).

Correct (OS X):
/Mac\ HD/Users/Application\ Support/Dell
Correct (Windows):
C:\Program Files\Dell\
Incorrect:
\Program Files\Dell\
Incorrect:
C:\Program Files\Dell\Executable.exe

Enables the usage of Script Control

Script Control monitors applications and services that can run actions within the operating system. These applications are commonly called interpreters. ATP monitors these applications and services for any scripts that attempt to run and based on policies, either notifies of their action having been taken, or blocks the actions from occurring. These decisions are made based on the script name and the relative path where the script was run from.

When set to Block no script-based items run. This includes any active script, macro based script, or PowerShell based script. In later versions, these are separated into their own policies.

Applies to: 1.2.1371 and earlier builds of ESSE

When set to Block this disables the ability to run JavaScript, VBscript, batch, Python, Perl, PHP, Ruby, and many other scripts.

Applies to: 1.2.1391 and later builds of ESSE.

Setting this to Alert enables the analysis of Macros within documents to determine if they are running potentially malicious commands. If a threat is perceived, the "Block" setting prevents the macro from running. Macros that run on launch may prevent the application from loading.

Applies to: 1.2.1391 and later builds of ESSE.

When set to Block this prevents any PowerShell-based scripts from running in the environment.

Applies to: 1.2.1391 and later builds of ESSE.

When set to Block prevents the PowerShell V3 console and ISE from launching.

Applies to: 1.2.1391 and later builds of ESSE.

This section details the folders in Script Control that are not monitored.

• Folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path.
• Script folder exclusions must specify the relative path of the folder or sub-folder.
• Any specified folder path also includes any sub-folders.
• Wildcards are not supported.

Correct (Mac):
/Mac\ HD/Users/Cases/ScriptsAllowed
Correct (Windows):
\Cases\ScriptsAllowed.
Incorrect:
C:\Application\SubFolder\application.vbs
Incorrect:
\Program Files\Dell\application.vbs

This policy leverages by Disconnected mode for ESSE. This allows for customers to have an environment entirely separated from the internet.

This policy determines specific threat paths and certificates that should be allowed within the environment.

This policy leverages by Disconnected mode for ESSE. This allows for customers to have an environment entirely separated from the internet.

This is a defined list of known-bad hashes that are automatically quarantined when encountered by the agent.

This policy leverages by Disconnected mode for ESSE. This allows for customers to have an environment entirely separated from the internet.

This policy determines specific threat hashes that should be allowed within the environment.

This defines what is notified to the end user if the policy Suppress Popup Notifications is disabled.

High

• Protection status has changed. (Protected means that the Advanced Threat Prevention service is running and protecting the computer and needs no user or administrator interaction.)
• A threat is detected, and policy is not set to automatically address the threat.

Medium

• Execution Control blocked a process from starting because it was detected as a threat.
• A threat is detected that has an associated mitigation (for example, the threat was manually quarantined), so the process has been terminated.
• A process was blocked or terminated due to a memory violation.
• A memory violation was detected and no automatic mitigation policy is in effect for that violation type.

Low

• A file that was identified as a threat has been added to the Global Safe List or deleted from the file system.
• A threat has been detected and automatically quarantined.
• A file has been identified as a threat but waived on the computer.
• The status of a current threat has changed (for example, Threat to Quarantined, Quarantined to Waived, or Waived to Quarantined).