Configuring Endpoint Protection

This article explains how to configure Cato's Endpoint Protection (EPP) solution to secure your endpoints.

Overview

Cato's EPP solution includes two types of EPP engines: File Protection which scans files on the endpoint and Behavioral Analysis with scans processes running on the endpoint. Your EPP settings are configured in the Cato Management Application, provide a centralized way to manage security across your attack surface. In the Endpoint Protection Profile, you can configure the protection level of each engine to define how they respond to potential threats. Use the Endpoint Protection Policy to apply the Endpoint Protection Profiles to an enduser or endpoint.

You can add a file or process to the Allowlist to prevent legitimate files or processes being identified as malicious and for additional protection, you can run an on-demand scan on a specific endpoint.

EPP Engines

To protect your endpoint from known and unknown malware, Cato's EPP solution provides two layers of protection to provide a full security solution. Each layer utilizes different detection techniques to identify and prevent different types of attacks.

Anti-Malware (File Protection)

The File Protection engine supports scanning of more than 300 file types including archived files, ZIP files, and RAR. A file is scanned once it is downloaded or copied onto an endpoint as well as when an enduser attempts to access it. You can also scan all files on an endpoint at any time with an on-demand scan.

Behavioral Analysis

The Behavioral Analysis engine uses heuristics methods to provide protection from unknown and zero-day threats. Applications and processes are continuously monitored for indications of malicious activity based on their behavior. Examples of malicious behavior include:

  • Executing or injecting code in another process’s space to run with higher privileges

  • Accessing or executing illegal operations in registry locations that require elevated privileges

  • Copying or moving files in System or Windows folders

Responding to Threats

After an EPP engine identifies potentially malicious activity, the Protection settings define the action that EPP takes. In addition, for the Behavioral Analysis engine, you can define how sensitive it is for identifying unknown threats.

The following table describes each Protection level, and an example use case for it.

Protection

Description

Sample Use Case

Off

EPP scans do not run, no events are created.

You do not want to use this EPP engine.

Monitor

If malicious activity is identified, an event is created, but no further action is taken.

You want to collect data on malicious files or processes, without preventing their execution.

Block

A malicious file or process is cannot be executed. The file is not modified or moved from its location.

You want to identify and block malicious files or processes.

Block and Remediate

The malicious file or process cannot be executed. The file is encrypted and quarantined or if this is not possible, the file deleted.

This is the default setting.

You want to identify, block, and quarantine malicious files or processes.

Behavioral Analysis Heuristic Sensitivity Level

The Behavioral Analysis engine detects potential threats based on a predictive model and learning heuristics. The Sensitivity Level for the engine determines the confidence level that identify the potential threats. For example, the Aggressive setting will identify processes with a low level of certainty that the process is actually malicious. This setting can result in more false-positive matches.

The following options table describes the Sensitivity Level, and an example use case for it.

Sensitivity Level

Description

Sample Use Case

Permissive

Only detect processes that are determined to be malicious with a very high level of certainty. This is the setting with the lowest sensitivity.

You only want to detect process that are certainly malicious.

Balanced

Detect processes that are determined to be malicious with a high level of certainty.

You want to detect process that are likely malicious.

Aggressive

Detect processes that are determined to be malicious with a low level of certainty. This is the setting with the highest sensitivity.

You want to detect processes that are likely but not certainly malicious.

Configuring Endpoint Protection Settings

To define how EPP protects endpoints in your account, use the EPP Profile to define the level of Protection for each engine. Then use the rules in the EPP Policy to define the scope of endpoints that the Profile applies to. A Profile can be applied to specific endusers, specific endpoints or both.

EPP policies are an ordered rulebase. The rules in your policy are applied to files and processes sequentially to check if a rule is matched. Rules that are at the top of the rulebase have a higher priority because they are applied before the rules lower down. For example, if rule #1 has a File Protection Block response and applies to an endpoint were a malicious file is identified, the file is blocked. No further rules are applied to the file.

Defining an Endpoint Protection Profile

The EPP Profile defines the File Protection and Behavioral Analysis engine Protection settings. You can define different profiles based on the requirements for your EPP Policy.

To define an Endpoint Protection Profile:

  1. From the navigation menu, click Security > Endpoint Protection.

  2. Click the Profiles tab.

  3. Click New.

    The Create new Endpoint Protection Profile panel opens.

  4. Define the settings for the profile.

  5. Click Apply and then Save.

Creating an Endpoint Protection Policy

Define the rules in the EPP Policy with the Source and the Profile. The Source can be an end-user identity, or an endpoint device based on the Endpoint ID. You can also set the level of protection (Profile) that is applied to each enduser or endpoint (Source) . This lets you customize how each EPP engine is used on each endpoint across your environment.

To create an Endpoint Protection Policy:

  1. From the navigation menu, click Security > Endpoint Protection.

  2. Click New.

    The Create new Endpoint Protection Policy Rule panel opens.

  3. Define the Name, Description, Source, and Profile for this rule.

  4. Click Apply.

  5. Repeat steps 2-4 for each rule in the EPP Policy.

  6. Enable the EPP Policy and click Save.

    The slider ( slider.png ) is green when the EPP is enabled, and gray when the EPP is disabled.

Allowing Files and Paths for EPP

Sometimes an EPP engine may consider a legitimate business process to be malicious. To prevent endpoint protection interrupting legitimate business processes, you can allow an Object for an enduser or on an endpoint (Source). This means it is not scanned, blocked or moved and it does not trigger an alert.

The following objects can be allowed to execute for an enduser, on an endpoint, or both:

  • File Path

  • Folder Path

  • File Type

  • SHA256 File Hash

2023-03-16_18-15-55.png

To define an Object for the Allow List:

  1. From the navigation menu, click Security > Endpoint Protection.

  2. Click the Allow List tab.

  3. Click New.

    The New Allow List panel opens.

  4. Define the Name, Description, Object, and Source to be allowed.

  5. Click Apply.

  6. Repeat steps 3-5 for each Object that you are allowing.

  7. Click Save.

On-demand File Protection Scans

File Protection scans run when a file downloaded or copied onto an endpoint as well as when an enduser attempts to access it. In addition, you can run a File Protection scan on an endpoint on-demand at any time. By running an on-demand File Protection scan, you can identify existing malware on an endpoint before the enduser tries to access it.

On-demand scans compare the SHA256 file hash of all files saved on the endpoint with a list of known malware signatures. If a malicious file is detected, EPP follows the action defined by the Policy.

Running an On-demand File Protection Scan

You can identify malicious files on an endpoint at any time by running an On-demand scan.

To run an on-demand File Protection Scan

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed.

  2. Click the three dots (Three_Dots.png) on the endpoint that you want to scan.

  3. Click Scan Endpoint.

    A File Protection scan runs on the endpoint.

Was this article helpful?

1 out of 1 found this helpful

0 comments

Add your comment