SandBlast Agent Behavioral Guard Advanced Configuration
SandBlast Agent Behavioral Guard is a behavioral detection engine that detects and remediates all forms of malicious behavior. When the Behavioral Guard detects malicious behavior, a forensics report is generated of the entire attack. The attack can be automatically or manually remediated based on the forensics report.
This article covers advanced configuration for Behavioral Guard, which includes enabling/disabling aggressive behavioral rules, switching from detect to prevent, and disabling Behavioral Guard while keeping Anti-Ransomware enabled.
For information on how to enable/disable the product or create exclusions, refer to sk129892.
Configuring Behavioral Guard
Starting with E80.85, Behavioral Guard is turned on by default. Advanced configuration options are set in an XML in the format below.
<ngavPolicy> <experimentalSignatures>false</experimentalSignatures> <enforcementActions> <low>Ignore</low><medium>Detect</medium> <high>Detect</high> </enforcementActions> </ngavPolicy>
Enabling Aggressive Rules
Aggressive Behavioral Rules are rules that are present in the rule package, but which have not been turned on yet. These represent rules that are being monitored for effectiveness. You can turn on Aggressive Behavioral Rules by simply editing the XML above and changing the line:
<experimentalSignatures>false</experimentalSignatures> to <experimentalSignatures>true</experimentalSignatures>
Configuring Enforcement Actions
You can configure the enforcement of Behavioral Guard based on detection confidence. The options for each confidence level can be set to:
- Ignore: Nothing is done on the detection, a log is not created
- Detect: Logs, Alerts and a Forensic Report are created
- Prevent: All the above and the attack is remediated
By default, the settings are:
- Low Confidence: Ignore
- Medium Confidence: Detect
- High Confidence: Detect
To change the default, simply change the setting in the xml above.
Saving changes to the XML file:
In the SandBlast Agent Anti-Ransomware, Behavioral Guard and Forensics settings tab, select the Use default monitoring settings and edit.
Note: The name for this section may be different if you are not using the latest SmartConsole version.
In the window shown below on the left, click on "Add location...".
Select Process from the Window and click OK.
This will open the window shown below on the right. Enter the modified xml into the Process Name field and click on the OK button.
Click OK again to close the Monitoring and Exclusions window.
** In order the changes to take affect, make a small change in "Anti-Ransomware BGAV and Forensics" Policy (comment or name), save and install the policy.
Disabling Behavioral Guard while Keeping Anti-Ransomware Enabled
As described in sk129892, there is a check box that can enable or disable both Anti-Ransomware and Behavioral Guard. If, however, you want to keep Anti-Ransomware and disable Behavioral Guard, do the following:
First, enable the option as described in sk129892. Then open GUIDBedit and select the "other" field from the left section (as shown in the image below).
Select the following field (as shown in the picture below):
ep_orgp_efr_policy_tlb -> all_logs -> log_case_analysis
Set the value for log_case_analysis to "false".
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.