Dell Endpoint Security Suite Enterprise Advanced Threat Prevention Quick Start Guide v3.0 May 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2021 Dell Inc. All rights reserved.
Contents Chapter 1: Introduction................................................................................................................. 4 Contact Dell ProSupport....................................................................................................................................................4 Chapter 2: Get Started..................................................................................................................5 Provision a Tenant...................................
1 Introduction Before you perform tasks explained in this guide, the following components must be installed: ● Endpoint Security Suite Enterprise - refer to Endpoint Security Suite Enterprise Advanced Installation Guide or Endpoint Security Suite Enterprise Basic Installation Guide ● Security Management Server or Security Management Server Virtual Server - refer to Security Management Server Installation and Migration Guide or Security Management Server Virtual Server Quick Start and Installation Guide This
2 Get Started This chapter details the recommended steps to begin administering Advanced Threat Prevention.
Get Started
The following diagram illustrates the Advanced Threat Prevention agent communication process. The following diagram illustrates Dell Server architecture and communication.
Enable BIOS Image Integrity Verification The BIOS Image Integrity Verification policy is enabled by default when the master switch for Advanced Threat Prevention is enabled. For an overview of BIOS Image Integrity Verification process, refer to BIOS Image Integrity Verification Process. Verification Process The following diagram illustrates the BIOS image integrity verification process.
If the Enable BIOS Assurance policy is selected in the Management Console, the Cylance tenant validates a BIOS hash on endpoint computers to ensure that the BIOS has not been modified from the Dell factory version, which is a possible attack vector. If a threat is detected, a notification is passed to the Dell Server and the IT administrator is alerted in the Remote Management Console. For an overview of the process, see BIOS Image Integrity Verification Process.
Dell Computer Models supported with BIOS Image Integrity Verification ● ● ● ● ● ● ● ● Latitude E5570 Latitude E7270 Latitude E7470 Latitude Rugged 5414 Latitude Rugged 7214 Extreme Latitude Rugged 7414 OptiPlex 3040 OptiPlex 3240 ● ● ● ● ● ● ● ● Precision Workstation 7510 Precision Workstation 7710 Precision Workstation T3420 Venue 10 Pro 5056 Venue Pro 5855 Venue XPS 12 9250 XPS 13 9350 XPS 9550 Configure Advanced Threat Prevention Agent Auto Update In the Management Console, you can enroll to receive
3. View or modify administrator roles in the right pane. 4. Click Save. NOTE: Dell recommends assigning administrator roles at the Group level rather than at the User level. To 1. 2. 3. 4. view, assign, or modify administrator roles at the Group level, follow these steps: In the left pane, click Populations > User Groups. Search or select a Group name, then the Admin tab. The user group detail page displays. Select or deselect the administrator roles assigned to the Group. Click Save.
3 Policies This chapter details policy management for Advanced Threat Prevention. ● Enable Advanced Threat Prevention ● Recommended Policy Settings ● Commit Policy Modifications For the complete list of Advanced Threat Prevention policies and their descriptions, refer to AdminHelp, available in the Management Console. Enable Advanced Threat Prevention The Advanced Threat Prevention policy is toggled Off by default and must be toggled On to enabled Advanced Threat Prevention policies.
4 Threats This chapter details how to identify and manage threats encountered in an enterprise environment following the installation of Advanced Threat Prevention.
Label Severity Detail Typically this denotes the correlating Memory Protection or Script Control policy outlined was set to Terminate. MemoryViolation Warning Indicates that an executable or script was found that was in violation of the Memory Protection or Script Control Policy. The executable or script had no action taken against it, likely due to policy being set to Allow.
● Options - Provides a way to integrate with Security Information Event Management (SIEM). ● Certificate - Allows certificate upload. After upload, certificates display on the Global List tab and can be Safe listed. Tables on the tabs can be organized in these ways: ● Add or remove columns from the table - Click the arrow next to any column header, select Columns, then select the columns to display. Clear the check box of columns to hide. ● Sort the data - Click a column header.
review threats found by Execution Control. These were convicted when a user attempted to execute an application and need more urgent attention than dormant files convicted by Background Threat Detection or File Watcher. The information for the model comparison comes from the database, not your devices. So no re-analysis is done for the model comparison. However, when a new model is available and the proper Agent is installed, a re-analysis is done on your organization and any model changes are applied.
● Waive - Add a file to the Waived list on a computer. This file is allowed to execute on the computer. Manage Endpoint Advanced Threats To 1. 2. 3. 4. manage a threat identified on a specific computer: In the left pane, click Populations > Enterprise. Select the Advanced Threats tab. Select Agents. Select a specific agent name, and select the appropriate command: Export, Quarantine, or Waive a threat.
5 Disconnected Mode Disconnected mode allows a Dell Server to manage Advanced Threat Prevention endpoints without client connection to the Internet or external network. Disconnected mode also allows the Dell Server to manage clients without Internet connection or a provisioned and hosted Advanced Threat Prevention service. The Dell Server captures all event and threat data in Disconnected mode.
These policies are sent to the Advanced Threat Prevention client only if the Dell Server detects a Disconnected Mode install token, which is prefixed with "DELLAG." Refer to AdminHelp for examples of these policies. To view files that Advanced Threat Prevention identifies as potential threats, navigate to Enterprise > Advanced Threat Events tab. This tab contains a list of events information for the entire enterprise and action taken, such as Blocked or Terminated.
6 Troubleshooting Recover Advanced Threat Prevention Recover Service You will need your backed up certificate to recover Advanced Threat Prevention service. 1. In the left pane of the Management Console, click Management > Services Management. 2. Click Recover Advanced Threat Prevention Service. 3. Follow the guided service recovery and upload the Advanced Threat Prevention certificate when prompted.
Use this registry setting for testing/debugging only, as this registry setting controls log verbosity for other components, including Encryption and Encryption Management Agent. ● Compatibility Mode allows applications to run on the client computer while Memory Protection or Memory Protection and Script Control policies are enabled. Enabling compatibility mode requires adding a registry value on the client computer. To enable compatibility mode, follow these steps: 1.