SandBlast Agent Behavioral Guard Basic Configuration
SandBlast Agent Behavioral Guard is a behavioral detection engine that detects and remediates all forms of malicious behavior. When the Behavioral Guard detects malicious behavior, a forensics report is generated of the entire attack. The attack can be automatically or manually remediated based on the forensics report.
This article covers basic configuration of the Behavioral Guard, which includes enabling/disabling the product and creating exclusions.
Enabling aggressive behavioral rules or switching from detect to prevent requires advanced configuration knowledge. For more on this, see sk130012: SandBlast Agent Behavioral Guard Advanced Configuration.
Configuring Behavioral Guard
Starting with E80.85, Behavioral Guard is turned on by default.
It is recommended that users upgrade to the latest SmartConsole version.
Click on the "Policies" section of the SmartEndpoint and then scroll down to the "SandBlast Agent Anti-Ransomware, Behavioral Guard and Forensics" section. If you are not using the latest SmartConsole version, you will need to scroll down to the "SandBlast Agent Anti-Ransomware, Forensics and Remediation" section.
Then open the following: "Anti-Ransomware and Behavioral Guard Settings". If you are not using the latest version of the SmartConsole, you will need to open "Anti-Ransomware Backup Settings".
Enabling/Disabling Behavioral Guard
Anti-Ransomware and Behavioral Agent are configured using the same check box. This means that you can enable both or disable both. If you want the granularity to disable one and enable the other, refer to sk130012: SandBlast Agent Behavioral Guard Advanced Configuration.
Note: If you are not using the latest version of SmartConsole, the check box will say "Enable Anti-Ransomware" only. However, turning it on or off will affect the behavior of Behavioral Guard, as well.
Exclusions for Behavioral Guard
Like Anti-Ransomware, Behavioral Guard allows for exclusions by Certificate, Process and Folder. In addition, Behavioral Guard allows for exclusion by Behavioral Rule Name.
There is no Behavioral Rule Name choice in the UI, but you can do the following workaround. Under Exclusion Setting, click on "Add location...". This will bring up the window shown below. Select Certificate and click OK.
Then add the following text: rulename:: <signature>. For example: rulename::Gen.Win.hashcpy. This will prevent the rule from being enforced.
Note: The exclusions applied here apply to both Anti-Ransomware and Behavioral Guard. However, the Behavioral Rule Name exclusions described above currently DO NOT apply to Anti-Ransomware.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.