Escan/english/escan22/eScan Management Console/Policies/Features Help/EDRPolicy

From eScan Wiki
Revision as of 09:18, 30 November 2021 by imported>TechContent
(diff) ←Older revision | view current revision (diff) | Newer revision→ (diff)
Jump to navigation Jump to search

Advance Security

Following tabs with multiple threat protection options that are present in the EDR Policy:

  • Advance Threat Protection
  • Block Downloads from Internet
  • Archive File Protection
  • Block Files Using sha256

    • The following section will describe the tabs and options in detail.

    Advance Threat Protection

    This tab allows you to block and whitelist the execution of EXE files downloaded from Internet or present in the USB. Along with its Advanced Threat Protection tab that enables to restrict the WScript and Adobe reader from the execution of child processes.

    Block Unsigned Exe Download from Internet
    This option blocks the execution of untrusted/unknown executable files that are downloaded from the internet.

    Block Unsigned Exe from USB
    This option blocks the execution of untrusted/unknown executable files from portable storage devices like USB drives.

    Unsigned Exe White list (Cloud)
    This option allows the execution of whitelisted executable files based on the eScan Cloud database. It is enabled by default.

    Whitelisting for unsigned exe Downloaded From Internet/on USB
    This option allows the user to whitelist the unknown executable files. After enabling the above listed options, you can configure this option.

    1. Add: To add an unknown executable file, enter the name of the file and click on Add. The file will be added in the list.
    2. Delete: To delete an executable file, select the particular file from the list and click on Delete.
    3. Remove All: To remove all the files from the list, click on Remove All.


    Block WScript From Running Downloaded Apps
    This option allows you to blocks the execution of any potentially malicious scripts (.js, PowerShell) that running from the downloaded apps.

    Block Adobe Office Child Exe
    This option allows you to block the generation of any child process (VB macros, exploit code, PowerShell commands) by Adobe Reader and Office apps.

    Block Custom Child Exe
    This option lets you to add or delete the custom child EXE.
    After enabling this option, you can configure the following options:

    1. Add: To add custom child EXE, enter the name and click on Add.
    2. Delete: To delete any child EXE, select the file and click on Delete.
    3. Remove All: To remove all the file at once, click on Remove All.


    Block Downloads From Internet

    This tab allows you to block or restrict the internet downloaded files and files downloaded from email clients.

    Block Internet Downloaded Files
    This option allows you to directly block the files while downloading from internet.

    Exclude Email Clients
    This option allows the execution of attachment and auto-run executable files that are downloaded via email clients (Outlook, Thunderbird, and more). It is enabled by default.

    Archive File Protection

    This tab allows or blocks the running of password-protected archive files (zip, rar, 7zip, and more).

    Allow All
    This option is enabled by default and allows running of all the password-protected archive files.

    Allow only default archive types
    This option allows the access of only default archive types and file name with extensions that are added in the list.

    Action
    This drop-down option allows you to select the action to be taken in case of password protected archive file that does not belong to default type or whitelisted file extensions.

    1. Access Denied: This option will deny the access to the archive files that are not default type or whitelisted file extensions.
    2. Quarantine archive: This option will quarantine all the archive files other than default types or whitelisted file extensions.


    Add Custom Unsafe Extensions
    This option allows you to add custom unsafe archive in the list.

    1. Add: To add custom unsafe extension, enter the extension and click on Add.
    2. Delete: To delete any custom extension, select the extension and click on Delete.
    3. Remove All: To remove all the extension at once, click on Remove All.


    Allow only excluded extensions
    This option allows the access of only the archive files extensions that are added in the excluded list.

    Action
    This drop-down option allows you to select the action to be taken in case of password-protected archive file that does not belong to excluded file extensions.

    1. Access Denied: This option will deny the access to the archive files that are not added in the exclusion list.
    2. Quarantine archive: This option will quarantine all the archive files that are not added in the exclusion list.


    Ignore Default Extensions
    This check box will allow the access of default archive extensions by including them in the blacklist.

    Exclusion List for Custom Extensions
    This option allows you to add custom extension file type in the list.

    1. Add: To add custom extension, enter the extension and click on Add.
    2. Delete: To delete any custom extension, select the extension and click on Delete.
    3. Remove All: To remove all the extension at once, click on Remove All.


    Block All
    This option blocks the access of all the password-protected archive files types.

    Action
    This drop-down option allows you to select the action to be taken on the password-protected archive file types.

    1. Access Denied: This option will deny the access to all the password-protected archive files.
    2. Quarantine archive: This option will quarantine all the password-protected archive files.


    Block Files Using sha256

    This tab allows you to block the files that are encrypted using SHA256 encryption based on the hash value of it.

    Enable SHA256 Protection
    This option lets you enable the SHA256 protection to block the files having identical hash key.

    Filter Categories
    This option will be enabled after selecting the Enable SHA256 Protection option. You can use this option to add or remove SHA256 categories and the hash values that has been added to the particular category.

    Category Name

    1. Add: To add a filter category, enter the category name and click on Add.
    2. Delete: To remove filter category, select the category name and click on Delete.


    Hash files
    To add/remove the hash file in particular category, select the category and then add or delete the file.

    1. Add: To add a hash value, select the category in the Category Name column. Enter the hash value and comments (optional) and click on OK.
    2. Delete: To remove a hash file, select the category in the Category Name column. Select the hash file and click on Delete.


    Retrieved from "https://wiki.escanav.com/index.php?title=Escan/english/escan22/eScan_Management_Console/Policies/Features_Help/EDRPolicy&oldid=22372"