How does Cylance PROTECT work?
Cylance PROTECT detects and blocks threats before they can affect your computer. Cylance uses a mathematical approach to malware identification, using machine learning techniques instead of reactive signatures, trust-based systems or sandboxes. Cylance's approach renders new malware, viruses, bots, and future variants useless. Cylance PROTECT analyzes potential file executions for malware in the Operating System (OS) and memory layers to prevent the delivery of malicious payloads.
How the Cylance PROTECT Agent identifies and blocks file threats.
Background Threat Detection: Scans files on the system, running in the background, and designed to consume a small amount of system resources. It is recommended to enable Background Threat Detection and Watch For New Files. If Watch For New Files is enabled, it is recommended to configure Background Threat Detection to Run Once. You need to check existing files one time only if you are also watching for new and updated files.
Process Scan: Scans processes running on the device.
File Watcher: Scans new and updated files for threats. Because this feature only looks for new and updated files, it is recommended to use Background Threat Detection set to Run Once. Background Threat Detection scans all files on the device.
Execution Control: Analyzes running processes only. This includes all files that run at system startup, that are set to auto-run, and that are manually executed by the user.
Analysis: How files are identified as malicious or safe.
Infinity Engine: The Cylance PROTECT Mathematical Model in the cloud and is used to score files.
Local Model: The Cylance PROTECT Mathematical Model included with the Agent. This allows analysis when the device is not connected to the Internet.
How the Cylance PROTECT Agent identifies and blocks memory based threats.
Cylance PROTECT’s memory protection abilities are similar to those found in modern host intrusion prevention systems, but without the configuration complexity. Memory protection adds an additional layer of security and strengthens the OS’s basic protection features. In many breach events, a benign process is initially exploited by malicious payload code. The most common incidents involve a user browsing to a malicious website or a user executing a malicious document. When this occurs, the attacker’s payload code executes in the memory of the browser or application without attempting to create or execute a new malicious executable. When deployed on servers, Cylance PROTECT’s memory protection capabilities prevent the exploitation of many of the most common classes of vulnerabilities, such as exploits for buffer overflows and uses-after-free. Cylance PROTECT’s memory protection module is comprised of an agent dynamic-link library loaded into each protected process, and a service component to supply configurations, receive information, and respond to events. The agent hooks various user-mode application program interface (API) functions in order to maintain state and watch for certain hard-coded behaviors considered to be indicative of a compromise. Whenever such a behavior is detected, an event is communicated to the service before the hooked API function is allowed to complete. The service then responds with an action for the agent to take, such as: • Ignore the violation and let it execute • Alert on the violation, but let it execute • Block the violation and send an alert • Terminate the process completely These actions are easily configured in a policy maintained by the Cylance PROTECT administrator. The memory protections are effective for both 32- and 64-bit processes and are designed to protect without imposing a heavy performance overhead.