Article Number: 000124588
Dell Threat Defense uses policies to:
Affected Products:
Dell Threat Defense
Not applicable.
Click Recommended Policies or Policy Definitions for more information.
Policies are recommended to be set up in Learning Mode or Protect Mode. Learning Mode is how Dell recommends testing Dell Threat Defense in an environment. This is most effective when Dell Threat Defense is deployed onto endpoints with the standard company image.
More changes may be required for Application Servers, due to higher than normal disk I/O.
Once all alerts have been addressed in the Dell Threat Defense administration console by the administrator, Dell recommends switching to the Protect Mode policy recommendations. Dell recommends a couple weeks or more of testing in Learning Mode before switching to Protect Mode policies.
Click Application Server Recommendations, Learning Mode, or Protect Mode for more information.
In both Learning and Protect modes, application servers may see additional overhead and dissimilar behavior to client operating systems. Auto Quarantine (AQT) has, in rare instances, prevented some files from running until a Score can be calculated. This has been seen when an application detects the locking of its files as tampering, or a process may fail to complete successfully in an expected timeframe.
If "Watch For New Files" is enabled, it may slow down device operations. When a new file is generated, it is analyzed. Though this process is lightweight, a high volume of files at one time may cause a performance impact.
Suggested policy changes for Windows Server Operating Systems:
With these recommendations, it is typically also suggested to contain devices running server operating systems into separate zones. For information about generating Zones, reference How to Manage Zones in Dell Threat Defense.
| Policy | Recommended Setting |
|---|---|
| File Actions | |
| Auto Quarantine with Execution Control for Unsafe | Disabled |
| Auto Quarantine with Execution Control for Abnormal | Disabled |
| Enable auto-delete for quarantined files | Disabled |
| Auto-Upload | Enabled |
| Policy Safe List | Environment dependent |
| Protection Settings | |
| Prevent Service Shutdown from Device | Disabled |
| Kill unsafe running processes and their sub processes | Disabled |
| Background Threat Detection | Disabled |
| Run Once/Run Recurring | N/A when Background Threat Protection is set to Disabled |
| Watch for New Files | Disabled |
| Copy File Samples | Environment dependent |
| Agent Settings | |
| Enable Auto-Upload of log files | Environment dependent |
| Enable Desktop Notification | Environment dependent |
| Script Control | |
| Script Control | Enabled |
| 1370 and below Active Script and PowerShell | Alert |
| 1380 and above Active Script | Alert |
| 1380 and above PowerShell | Alert |
| Block PowerShell Console Usage | N/A when PowerShell is set to Alert |
| 1380 and above Macros | Alert |
| Disable Script Control Active Script | Disabled |
| Disable Script Control PowerShell | Disabled |
| Disable Script Control Macros | Disabled |
| Folder Exclusions (includes subfolders) | Environment dependent |
| Policy | Recommended Setting |
|---|---|
| File Actions | |
| Auto Quarantine with Execution Control for Unsafe | Enabled |
| Auto Quarantine with Execution Control for Abnormal | Enabled |
| Enable auto-delete for quarantined files | Environment dependent |
| Auto-Upload | Environment dependent |
| Policy Safe List | Environment dependent |
| Protection Settings | |
| Prevent Service Shutdown from Device | Enabled |
| Kill unsafe running processes and their sub processes | Enabled |
| Background Threat Detection | Enabled |
| Run Once/Run Recurring | Run Once |
| Watch for New Files | Enabled |
| Copy File Samples | Environment dependent |
| Agent Settings | |
| Enable Auto-Upload of log files | Environment dependent |
| Enable Desktop Notification | Environment dependent |
| Script Control | |
| Script Control | Enabled |
| 1370 and below Active Script and PowerShell | Block |
| 1380 and above Active Script | Block |
| 1380 and above PowerShell | Block |
| Block PowerShell Console Usage | Block |
| 1380 and above Macros | Block |
| Disable Script Control Active Script | Disabled |
| Disable Script Control PowerShell | Disabled |
| Disable Script Control Macros | Disabled |
| Folder Exclusions (includes subfolders) | Environment dependent |
This policy determines what happens to files that are detected as they are executed. By default, even when an unsafe file is detected as running, the threat is blocked. Unsafe is characterized by a cumulative score for the portable executable that exceeds 60 within the Advanced Threat Prevention’s scoring system that is based on threat indicators that have been evaluated.
This policy determines what happens to files that are detected as they are executed. By default, even when an abnormal file is detected as running, the threat is blocked. Abnormal is characterized by a cumulative score for the portable executable that exceeds 0, but does not exceed 60 within the Advanced Threat Prevention’s scoring system that is based on threat indicators that have been evaluated.
When unsafe or abnormal files are quarantined based on device-level quarantines, global quarantine lists, or by Auto Quarantine policies, they are held within a local sandboxed quarantine cache on the local device. When Enable auto-delete for quarantined files is enabled, it denotes the number of days (minimum of 14 days, maximum of 365 days) to keep the file on the local device before permanently deleting the file. When this is enabled, the ability to modify the number of days becomes possible.
Marks threats that have not been seen by the Threat Defense SaaS (Software as a Service) environment for further analysis. When a file is marked as a potential threat by the local model, a SHA256 hash is taken of the portable executable, and this is sent up to the SaaS. If the SHA256 hash that was sent cannot be matched to a threat, and Auto-Upload is enabled, this allows for a secure upload of the threat to the SaaS for evaluation. This data is stored securely and is not accessible by Dell or its partners.
The Policy Safe List is a list of files that have been determined to be safe within the environment and have been manually waived by submitting their SHA256 hash and any additional information into this list. When a SHA256 hash is placed within this list, when the file is run, it is not evaluated by the local or the cloud threat models. These are "Absolute" file paths.
Correct (Windows): C:\Program Files\Dell Correct (Mac): /Mac\ HD/Users/Application\ Support/Dell Incorrect: C:\Program Files\Dell\Executable.exe Incorrect: \Program Files\Dell\
When Kill unsafe running processes and their sub processes is enabled, this determines if a threat is generating child processes or if the application has taken over other processes that are currently running within memory. If there is belief that a process has been taken over by a threat, the primary threat and any processes that it has generated or currently owns are immediately terminated.
Background Threat Detection, when enabled, scans the entire device for any portable executable, and then evaluates that executable with the local threat model, and requests confirmation for the scoring of the executable with the cloud-based SaaS based on the threat indicators of the executable. Two options are possible with Background Threat Detection: Run Once and Run Recurring. Run Once performs a background scan of all physical drives that are connected to the device the moment Threat Defense is installed and activated. Run Recurring performs a background scan of all connected devices to the device the moment Threat Defense is installed and activated, and repeats the scan every nine days (not configurable).
When Watch for New Files is enabled, any portable executable that is introduced to the device is immediately evaluated with the threat indicators that it displays using the local model, and this score is confirmed against the cloud-hosted SaaS.
Copy File Samples allows for any threats that are found on the device to be automatically escrowed to a defined repository based on UNC Path. This is only recommended for internal threat research or to hold a secure repository of packaged threats within the environment. All files that are stored by Copy File Samples are zipped with a password of infected.
Enable Auto-Upload of log files allows endpoints to upload their log files for Dell Threat Defense nightly at midnight, or when the file reaches 100 MB. Logs are uploaded nightly regardless of file size. All logs that are transferred are compressed before they egress the network.
Enable Desktop Notification enables the ability for device users to allow prompts on their device if a file is marked as abnormal or unsafe. This is an option within the right-click menu of the Dell Threat Defense tray icon on endpoints with this policy enabled.
Script control operates through a memory filter-based solution to identify scripts that are running on the device and prevent them if the policy is set to Block for that script type. Alert Settings on these policies only note scripts that would have been blocked within logs and on the Dell Threat Defense console.
These policies apply to clients previous to 1370, which were available before June 2016. Only Active Scripts and PowerShell based scripts are acted on with these versions.
These policies apply to clients post 1370, which were available after June 2016.
Active Scripts include any script that is interpreted by the Windows Script Host, including JavaScript, VBScript, batch files, and many others.
PowerShell scripts include any multi-line script that is run as a single command. (Default Setting - Alert)
In PowerShell v3 (introduced in Windows 8.1) and later, most PowerShell scripts are run as a single-line command; though they may contain multiple lines, they are run in order. This can bypass the PowerShell script interpreter. Block PowerShell console works around this by disabling the ability to have any application launch the PowerShell console. Integrated Scripting Environment (ISE) is not affected by this policy.
The Macro setting interprets macros that are present within Office documents and PDFs and blocks malicious macros that may attempt to download threats.
These policies fully disable the ability to even alert on the script type defined within each policy. When disabled, no logging is collected, and no attempt to detect or block potential threats is performed.
When checked, prevents the collection of logs, and blocks any potential Active Script-based threats. Active Scripts include any script that is interpreted by the Windows Script Host, including JavaScript, VBScript, batch files, and many others.
When checked, prevents the collection of logs, and blocks any potential PowerShell based threats. PowerShell scripts include any multi-line script that is run as a single command.
When checked, prevents the collection of logs, and blocks any potential macro-based threats. The Macro setting interprets macros that are present within Office documents and PDFs, and blocks malicious macros that may attempt to download threats.
Folder Exclusions allows for the ability to define folders that scripts may be run in that can be excluded. This section asks for exclusions in a relative path format.
/windows/system*/./windows/system32/*//windows/system32/*/folder/*/script.vbs matches \folder\test\script.vbs or \folder\exclude\script.vbs but does not work for \folder\test\001\script.vbs. This would require either /folder/*/001/script.vbs or /folder/*/*/script.vbs./folder/*/script.vbs/folder/test*/script.vbs//*/login/application//abc*/logon/applicationCorrect (Mac): /Mac\ HD/Users/Cases/ScriptsAllowed
Correct (Windows): \Cases\ScriptsAllowed
Incorrect: C:\Application\SubFolder\application.vbs
Incorrect: \Program Files\Dell\application.vbs
Wildcard Examples:
/users/*/temp would cover:
\users\john\temp\users\jane\temp/program files*/app/script*.vbs would cover:
\program files(x86)\app\script1.vbs\program files(x64)\app\script2.vbsprogram files(x64)\app\script3.vbsTo contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.
Dell Threat Defense
20 Dec 2022
11
Solution