Dell Threat Defense Policy Recommendations

Policies are recommended to be set up in Learning Mode or Protect Mode. Learning Mode is how Dell Technologies recommends testing Dell Threat Defense in an environment. This is most effective when Dell Threat Defense is deployed onto endpoints with the standard company image.

More changes may be required for Application Servers, due to higher than normal disk I/O.

Once all alerts have been addressed in the Dell Threat Defense administration console by the administrator, Dell Technologies recommends switching to the Protect Mode policy recommendations. Dell Technologies recommends a couple weeks or more of testing in Learning Mode before switching to Protect Mode policies.

Click Application Server Recommendations, Learning Mode, or Protect Mode for more information.

Application Server Recommendations

In both Learning and Protect modes, application servers may see additional overhead and dissimilar behavior to client operating systems. Auto Quarantine (AQT) has, in rare instances, prevented some files from running until a Score can be calculated. This has been seen when an application detects the locking of its files as tampering, or a process may fail to complete successfully in an expected timeframe.

If Watch For New Files is enabled, it may slow down device operations. When a new file is generated, it is analyzed. Though this process is lightweight, a high volume of files at one time may cause a performance impact.

Suggested policy changes for Windows Server Operating Systems:

• Enable Background Threat Detection and have it Run Once.
• Ensure that Execution Control is Enabled.
• Disable Watch For New Files.

With these recommendations, it is typically also suggested to contain devices running server operating systems into separate zones. For information about generating Zones, reference How to Manage Zones in Dell Threat Defense.

Learning Mode

Protect Mode

Threat Defense Policy Definitions:

File Actions

Auto Quarantine with Execution Control for Unsafe

This policy determines what happens to files that are detected as they are run. By default, even when an unsafe file is detected as running, the threat is blocked. Unsafe is characterized by a cumulative score for the portable executable that exceeds 60 within the Advanced Threat Prevention’s scoring system that is based on threat indicators that have been evaluated.

Auto Quarantine with Execution Control for Abnormal

This policy determines what happens to files that are detected as they are run. By default, even when an abnormal file is detected as running, the threat is blocked. Abnormal is characterized by a cumulative score for the portable executable that exceeds 0 but does not exceed 60 within the Advanced Threat Prevention’s scoring system. The scoring system is based on threat indicators that have been evaluated.

Enable auto-delete for quarantined files

When unsafe or abnormal files are quarantined based on device-level quarantines, global quarantine lists, or by Auto Quarantine policies, they are held within a local sandboxed quarantine cache on the local device. When Enable auto-delete for quarantined files is enabled, it denotes the number of days (minimum of 14 days, maximum of 365 days) to keep the file on the local device before permanently deleting the file. When this is enabled, the ability to modify the number of days becomes possible.

Auto-Upload

Marks threats that have not been seen by the Threat Defense SaaS (Software as a Service) environment for further analysis. When a file is marked as a potential threat by the local model, a SHA256 hash is taken of the portable executable, and this is sent up to the SaaS. If the SHA256 hash that was sent cannot be matched to a threat, and Auto-Upload is enabled, this allows for a secure upload of the threat to the SaaS for evaluation. This data is stored securely and is not accessible by Dell or its partners.

Policy Safe List

The Policy Safe List is a list of files that have been determined to be safe within the environment and have been manually waived by submitting their SHA256 hash and any additional information into this list. When a SHA256 hash is placed within this list, when the file is run, it is not evaluated by the local or the cloud threat models. These are "absolute" file paths.

Example Exclusions:

Correct (Windows): C:\Program Files\Dell
Correct (Mac): /Mac\ HD/Users/Application\ Support/Dell
Incorrect: C:\Program Files\Dell\Executable.exe
Incorrect: \Program Files\Dell\

Protection Settings

Kill unsafe running processes and their sub processes

When Kill unsafe running processes and their sub processes is enabled, this determines if a threat is generating child processes or if the application has taken over other processes that are currently running within memory. If there is a belief that a process has been taken over by a threat, the primary threat and any processes that it has generated or currently owns are immediately terminated.

Background Threat Detection

Background Threat Detection, when enabled, scans the entire device for any portable executable, and then evaluates that executable with the local threat model, and requests confirmation for the scoring of the executable with the cloud-based SaaS based on the threat indicators of the executable. Two options are possible with Background Threat Detection: Run Once and Run Recurring. Run Once performs a background scan of all physical drives that are connected to the device the moment Threat Defense is installed and activated. Run Recurring performs a background scan of all devices connected to the device the moment Threat Defense is installed and activated. It repeats the scan every nine days (not configurable).

Watch for New Files

When Watch for New Files is enabled, any portable executable that is introduced to the device is immediately evaluated with the threat indicators that it displays using the local model, and this score is confirmed against the cloud-hosted SaaS.

Copy File Samples

Copy File Samples allows for any threats that are found on the device to be automatically escrowed to a defined repository based on UNC Path. This is only recommended for internal threat research or to hold a secure repository of packaged threats within the environment. All files that are stored by Copy File Samples are zipped with a password of infected.

Agent Settings

Enable Auto-Upload of log files

Enable Auto-Upload of log files allows endpoints to upload their log files for Dell Threat Defense nightly at midnight, or when the file reaches 100 MB. Logs are uploaded nightly regardless of file size. All logs that are transferred are compressed before they egress the network.

Enable Desktop Notification

Enable Desktop Notification enables the ability for device users to allow prompts on their device if a file is marked as abnormal or unsafe. This is an option within the right-click menu of the Dell Threat Defense tray icon on endpoints with this policy enabled.

Script Control

Script Control

Script Control operates through a memory filter-based solution to identify scripts that are running on the device and prevent them if the policy is set to Block for that script type. Alert Settings on these policies only note scripts that would have been blocked within logs and on the Dell Threat Defense console.

1370 and Below

These policies apply to clients previous to 1370, which were available before June 2016. Only Active Scripts and PowerShell based scripts are acted on with these versions.

1380 and Above

These policies apply to clients post 1370, which were available after June 2016.

Active Script

Active Scripts include any script that is interpreted by the Windows Script Host, including JavaScript, VBScript, batch files, and many others.

PowerShell

PowerShell scripts include any multi-line script that is run as a single command. (Default Setting - Alert)

Block PowerShell Console Usage - (not present when PowerShell is set to Alert)

In PowerShell v3 (introduced in Windows 8.1) and later, most PowerShell scripts are run as a single-line command; though they may contain multiple lines, they are run in order. This can bypass the PowerShell script interpreter. Block PowerShell console works around this by disabling the ability to have any application launch the PowerShell console. Integrated Scripting Environment (ISE) is not affected by this policy.

Macros

The Macro setting interprets macros that are present within Office documents and PDFs and blocks malicious macros that may attempt to download threats.

Disable Script Control

These policies fully disable the ability to even alert on the script type defined within each policy. When disabled, no logging is collected, and no attempt to detect or block potential threats is performed.

Active Script

When checked, prevents the collection of logs, and blocks any potential Active Script-based threats. Active Scripts include any script that is interpreted by the Windows Script Host, including JavaScript, VBScript, batch files, and many others.

PowerShell

When checked, prevents the collection of logs, and blocks any potential PowerShell based threats. PowerShell scripts include any multi-line script that is run as a single command.

Macros

When checked, prevents the collection of logs, and blocks any potential macro-based threats. The Macro setting interprets macros that are present within Office documents and PDFs and blocks malicious macros that may attempt to download threats.

Folder Exclusions (includes subfolders)

Folder Exclusions allows for the ability to define folders that scripts may be run in that can be excluded. This section asks for exclusions in a relative path format.

• Folder paths can be to a local drive, a mapped network drive, or a universal naming convention (UNC) path.
• Script folder exclusions must specify the relative path of the folder or subfolder.
• Any specified folder path also includes any subfolders.
• Wildcard exclusions must use forward slashes in the UNIX style for Windows computers. Example: /windows/system*/.
• The only character that is supported for wildcards is *.
• Folder exclusions with a wildcard must have a slash at the end of the path to differentiate between a folder and a file.
  • Folder exclusion: /windows/system32/*/
  • File exclusion: /windows/system32/*
• A wildcard must be added for each level of folder depth. For example, /folder/*/script.vbs matches \folder\test\script.vbs or \folder\exclude\script.vbs but does not work for \folder\test\001\script.vbs. This would require either /folder/*/001/script.vbs or /folder/*/*/script.vbs.
• Wildcards support full and partial exclusions.
  • Full wildcard example: /folder/*/script.vbs
  • Partial wildcard example: /folder/test*/script.vbs
• Network paths are also supported with wildcards.
  • //*/login/application
  • //abc*/logon/application

Correct (Mac): /Mac\ HD/Users/Cases/ScriptsAllowed
Correct (Windows): \Cases\ScriptsAllowed
Incorrect: C:\Application\SubFolder\application.vbs
Incorrect: \Program Files\Dell\application.vbs

Wildcard Examples:

/users/*/temp would cover:

• \users\john\temp
• \users\jane\temp

/program files*/app/script*.vbs would cover:

• \program files(x86)\app\script1.vbs
• \program files(x64)\app\script2.vbs
• \program files(x64)\app\script3.vbs