PREVENTION POLICIES

Question 1

What is the default policy used for?

Answer 1

• The Default Policy is a fallback policy applied to hosts that don’t have an assigned policy.

Question 2

What are best practices when configuring default policies?

Answer 2

– You should configure its policy options to be conservative “catch all” settings you’re comfortable applying to any host in your environment.

Question 3

How to configure a detection- only policy?

Answer 3

Default Policy is detection only
- Configuration > Prevention Policies> create new policy>input platform, name, description> create policy> click a row of policy settings to manage individually or click enable all>save>confirm> enable> enable policy

Question 4

What is machine learning on a “sensor” vs the “cloud”

Answer 4

-Sensor ML:
- Sensor Machine Learning is Online + Offline
- On sensor are detections that occur when a process runs
-Includes Sensor Anti Malware on all supported OS Platforms
-Adware/PUP on MacOS.

-Cloud ML:
- Cloud Machine Learning is online
- Cloud Based Machine Learning detections occur when a file is written to disk.
- Cloud Machine Learning – includes both Cloud Anti Malware and Adware/PUP.
**Critical Component of detection/prevention of known, emerging, and zero day malware/ransomware attacks.
-Cloud Machine Learning does NOT interfere with traditional AV tools

Question 5

Explain best practice Phase 1: Initial Deployment

Answer 5

-Run Phase 1 for minimum time to allow most applications to execute while you triage detections/address any false positives as appropriate.

-Set ML settings to detect only so you can safely triage detections

-Enable behavior-based protections for ransomware and IOAs.
**has low probability for false positives, but give you immediate protection against dangerous exploits.

Question 6

Define the NextGen AV Settings

Answer 6

-Cloud Based ML
-Sensor ML
-On Write (Files written to disk)
-Quarantine.

Question 7

What do end user notifications do?

Answer 7

-Portrays message to end user when an action is in violation of policy assigned to end host.

Question 8

How to assign a prevention policy to groups and hosts?

Answer 8

-Falcon menu> Endpoint Security>Configure> prevention policies> edit icon near policy you want config>assigned host groups tab>add groups to policy>select groups>Add groups to policy>Settings Tab>Enable

Question 9

What does precedence do regarding prevention policies?

Answer 9

• Determines which policy’s configuration settings are applied to a host when the host is a member of one or more policies.
• Each host can belong to one or more host groups – host groups can be assigned one or more policies
• With dynamic groups, a newly installed sensor inherits relevant groups, and applies policy with highest precedence to the host. Provides host with its initial policy settings.

Question 10

Explain best practice Phase 3: Optimal Protection

Answer 10

-Run phase 3 identical to recommended single phase settings and your ultimate policy goals.

-Some customers also like to start a representative set of non-production systems as a test

-Set ML Preventions to Aggressive if you’re confident that all needed exclusions have been applied

-Enable remaining recommended IOA based prevention policy settings

Question 11

What are the 3 phases to describe policy best practices?

Answer 11

3 Phase Process:

-Phase 1: Initial Deployment

-Phase 2: Interim Protection

-Phase 3: Optimal Protection

Question 12

Which best policy practice is used for a rapid deployment scenario & the customer has pre-existing antivirus or host intrusion prevention system (HIPS)?

Answer 12

-Phase 1: initial deployment

Question 13

Which best policy practice is used once the customer’s AV is disabled or uninstalled?

Answer 13

Phase 2: Interim Protection

Question 14

Explain best practice Phase 2: Interim Protection

Answer 14

**Disable or uninstall other 3rd party AV products now.
-Run phase 2 for minimum time required to allow most applications to execute while you continue to triage detections/address any false positives as appropriate.

-Set ML Detections to Aggressive and ML Preventions to Moderate

-Enable additional IOA – based prevention settings

Question 15

Which best policy practice is used to establish a customer’s ultimate policy goals?

Answer 15

• Phase 3: Optimal Protection

Question 16

What happens when you assign a host group to a policy?

Answer 16

The host group will no longer appear in list of available groups

Question 17

How do end user notifications show up?

Answer 17

• Shows up as a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines an unauthorized action

-Messages also show up in the Windows Event Viewer under Apps and Service Logs

Question 18

Where on the Falcon Console can you configure Precedence?

Answer 18

Hosts > Host Groups > Policies Assigned > Precedence

Question 19

What features does the Cloud ML provide?

Answer 19

-Cloud AntiMalware/Detection

-Cloud AntiMalware/Prevention
SensorAntiMalware/Detection/Prevention

-Detect on Write, Quarantine on Write, Quarantine & Security Center Registration, Cloud Adware

-PUP Detection/Prevention, Sensor Adware & PUP Detection/Prevention,
-Enable detection at a level above set for prevention

-Triage detection data/allowlist false positives. Once confident that majority of applications have executed, increase detection/prevention sliders, repeat triage, and allowlist. Repeat until you’ve reached recommended settings.

Question 20

When does a host automatically get assigned to the default policy

Answer 20

-If a host is not a part of any groups, or the groups it belongs to has no policies assigned

Question 21

Initially what settings in the default policy are set to?

Answer 21

All settings in the default policy are Disabled

Question 22

What features does the Sensor ML provide?

Answer 22

-Includes Sensor Anti Malware on all supported OS Platforms, and Adware/PUP on MacOS.

-Sensor Anti Malware – provides ML Based on-sensor AV protection for malicious files, including offline protection.

Question 23

What are the Policy Settings?

Answer 23

• Notify End Users
  -Unknown Executables
  -Unknown Detection Related Executables
  -Sensor Tampering Protection

Question 23

What are the types of categories?

Answer 23

-Enhanced Visibility
-Firmware
-Cloud ML
-On Write
-Quarantine
-Execution Blocking
-Exploit Mitigation
-Ransomware
-Exploitation Behavior
-Lateral Movement and Credential Access
-Remediation

Question 24

What are the sensor capability types?

Answer 24

-Sensor Visibility
-Next Gen AV
-Malware Protection
-Behavior Based Prevention

Question 25

What does the Notify End Users policy setting do?

Answer 25

-Display notification when a prevention action occurs
**only prevention

Question 26

What does the Unknown Executables and Unknown Detection Related Executables policy setting do?

Answer 26

-Controls portable executable files, executed on endpoint and whose hashes we haven’t seen before in cloud

-Control whether files are uploaded to cloud for advanced analysis, and if done for all unknown files or just related to detections.
**Results are never shared with 3rd party.

Question 27

What does the Sensor Tampering Protection policy setting do?

Answer 27

-Blocks attempts to tamper with sensor.

-Protects sensor related files, folders, and registry objects from renaming or deletion.

Question 28

What does the Enhanced Visibility category do?

Answer 28

Enabling sensor visibility settings as recommended – provides various IOA based prevention settings with data required to detect/prevent potentially malicious activity, and significantly enhanced your investigation and threat hunting capabilities

Question 29

What are the Enhanced Visibility Settings?

Answer 29

Additional User Mode Data:
-Allows sensor to gather additional data from user mode component by loading a library that hooks system APIs.
-Uses DLL injection to track process and thread activity, leverages internal or private APIs, which will help surface detections related to process hijacking or unauthorized reads of process data.

HTTP Detections:
-Allow sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on sensor for malicious patterns and generate detection events on non Server systems.

Interpreter Only:
-Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script Based Execution Monitoring may be used instead.

Engine:
-Provides visibility into malicious System Management Automation engine usage by any application – Requires Interpreter Only.

Redact HTTP Detection Details:
-Remove certain info from HTTP Detection events, including URL, raw HTTP Header, and POST Bodies if they were present. Affects additional details that would be included and may include personal information. When disabled, information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.

Question 30

What does the Cloud ML category do?

Answer 30

-Includes Cloud Anti-malware and Adware/PUP.
**Both Feature separate level sliders for Detection and Prevention.

-Enable detection first at a level above set for prevention

-Triage detection data and allowlist false positives as appropriate by hash via IOC Management.
**Use Cloud based ML to detect and prevent known malware for online hosts.

Question 31

What does the On Write category do?

Answer 31

-Use ML to analyze suspicious/quarantine suspicious files when they’re written to disk.

-To adjust detection sensitivity, change Anti Malware Detection levels in Sensor ML and Cloud ML.

Question 32

What does the Quarantine category do?

Answer 32

-Quarantine Executable files after they are prevented by NGAV

Question 33

What does the Execution Blocking category do?

Answer 33

-Custom Blocking, Suspicious Processes, Suspicious PowerShell Scripts/Commands, Suspicious Registry Operations, and Intelligence Sourced Threats, compliment Machine Learning preventions.

Question 34

What does the Exploit Mitigation category do?

Answer 34

-Stops attempts to exploit vulnerabilities and prevents hosts from being compromised.

-Prevention is only applied to new processes that start after the feature has been enabled.

-Next Gen AV Quarantine: Quarantine executable files after they’re prevented by NGAV. Set Anti-malware prevention levels to moderate and don’t use other AV solutions. Falcon registers with Windows Security Center – disables Defender.

-Unauthorized Remote Access IOA Category: Chopper Webshell, XPCOM Shell, Empyre Backdoor

• Credential Dumping IOAs Category: Kc Password Decoder, Hash Collector

Question 35

What does the Remediation category do?

Answer 35

-Advanced Remediation, 3 Phase Prevention Policy Settings

Question 36

What does the Lateral Movement and Credential Access Category category do?

Answer 36

-Covers prevention of activity that is used to escalate logon privileges, such as usage of Windows Logon Bypass to open a command prompt

Question 37

What does the Exploitation Behavior category do?

Answer 37

-Exploitation Behavior Prevention IOAs involve blocking activities that occur immediately after the initial exploitation of an application.

Question 38

What does the Ransomware category do?

Answer 38

-Backup deletion, Cryptowall, File Encryption, File System Access

Question 39

What does the Firmware category do?

Answer 39

-BIOS Deep Visibility: Visibility into BIOS – detect suspicious and unexpected images.

Question 40

How to enable or disable prevention settings?

Answer 40

In the prevention policy settings page select enable all or select row to configure> save> confirm

Question 41

Which precedence will the CS Cloud give to different polices to resolve conflicts?

Answer 41

• Cloud will automatically apply policy with the higher precedence.

Question 42

If a host is not a part of any groups, or the groups it belongs to has no policies assigned, it is automatically assigned a….

Answer 42

• default policy

Question 43

What is the exception for a sensor being assigned a default policy?

Answer 43

The sensor is already set to a targeted policy

Question 44

Define prevention policies

Answer 44

-What activity will trigger detections and preventions on your hosts

Question 45

What are phase 1 prevention policies?

Answer 45

-Prevention policies that are intended to be used by customers setting up falcon for the the first time

Question 46

What are the characteristics of the phase 1 prevention policy?

Answer 46

-Part of a rapid deployment phase
*to be used with an existing antivirus and/or HIPS suite

-Does not fully protect

-Use for the minimum time required
*used for apps to execute, while triaging detections and allowlist false positives

Question 47

How to adjust policy precedence?

Answer 47

prevention policies page>toggle edit precedence on>click arrows to arrange the order of your policies>save

Question 47

How to adjust policy precedence?

Answer 47

prevention policies page>toggle edit precedence on>click arrows to arrange the order of your policies>save

Question 48

How long should it take you to get into establishing prevention policies phase 3?

Answer 48

-Within 90 days

Question 49

How long should it take to complete full sensor deployment and establish phase 2 settings

Answer 49

-No more than 45 days