If you have used Cylance (now owned by Blackberry), you should know that there are three common ways to whitelist programs and files:
1 – Cylance Whitelist Best Practice
The best place to whitelist is under DEVICE POLICY > {name of policy} > POLICY SAFE LIST because it is the most constrained. Your security exceptions should be few and limited.
The problem with is policy is it only allows for files to be whitelisted by their hash (SHA) and often those hashes will change over time due to upgrades. In my clients case we had a piece of software the generated a new file, and hence a new SHA, every time so this was useless.
2 – Cylance Whitelist Folder
Another option is DEVICE POLICY > {your policy name} > PROTECTION SETTINGS but that only allows entire folders to be whitelisted and that is obviously a bad idea if the software in question is using something common like C:\TEMP , C:\PROGRAM FILES or C:\DELL as malware might use those same folders.
3 – Cylance Whitelist Global Settings
The last common whitelist option is in GLOBAL SETTINGS. You should be careful with this because anything whitelisted here will apply to your entire enterprise not just one group of machines or users.
Again, the problem here is that you can only whitelist a file by its hash which is likely to change over time.
4 – Cylance Whitelisting Options
Note that when I was using using IBM Trusteer (which got rolled into BigFix) whitelisting files / programs by name could only be done but only by tech support because they felt it was too large a security hole to allow even admins to do it.
0 Comments