Detection Engine

In the ever-evolving landscape of cybersecurity, detection engines stand as vigilant sentinels, tirelessly scanning for threats to our digital assets. At its core, a detection engine is a software component that analyzes data, identifies anomalies or suspicious patterns, and triggers alerts or actions based on predefined rules or machine learning models. Detection engines operate on the fundamental principle of identifying deviations from normal behavior.

To configure the detection engine settings in detail, navigate to the Settings tab and click 'Detection Settings'.

This document explains the three core detection engines employed by ManageEngine Endpoint Central Malware Protection and their significance during policy configuration. Understanding these engines empowers you to tailor your policies for optimal protection.

In this section:

1. Ransomware Detection Engine
2. Data Exfiltration Detection Engine
3. DeepAV Engine
4. Behavior Detection Engine

Ransomware Detection Engine

Ransomware often operates stealthily, lying dormant until it encrypts files or blocks system access. The end users are frequently unaware of the infection until confronted with a ransom demand or the loss of their data. By detecting ransomware early, before it causes significant damage, individuals and organizations can proactively respond and potentially prevent irreversible data loss.

Designed specifically to counter ransomware attacks, the Ransomware Detection engine utilizes a proactive defense strategy as follows:

1. Decoy File Monitoring: Strategically places decoy files throughout your system to attract ransomware attempts. When ransomware tries to encrypt these files, an immediate alert is triggered, allowing for prompt response.
2. Behavior Monitoring: Detects suspicious file encryption patterns indicative of ransomware attacks.
3. Patented Technology: Ensures less than one percent false positive alerts, minimizing alert fatigue, and maximizing efficiency.
4. Minimizes False Positives: Users can configure ransomware exceptions by defining exclusions for specific folders or applications to prevent false positives with legitimate processes.

Data Exfiltration Detection Engine

The Data Exfiltration Engine is designed to identify and prevent unauthorized transfer of sensitive data from endpoints to external or malicious domains. Data exfiltration often occurs silently, with attackers disguising their activity as normal network traffic. By detecting unusual upload behavior early, organizations can intervene before critical information is exposed or compromised.

The Data Exfiltration Engine employs an anomaly-based machine learning approach with the following capabilities and configurations:

• Anomaly-based Detection: Utilizes machine learning to identify abnormal file upload patterns that deviate from normal network activity.
• Adaptive Learning: Undergoes an initial training period of 3–10 days to establish a baseline of regular data transfer behavior across the network.
• Continuous Monitoring: After training, continuously monitors for deviations that may indicate data exfiltration attempts.
• Periodic Model Updates: Automatically retrains every two weeks to adapt to evolving network behavior and maintain detection accuracy.

DeepAV Engine

Leveraging the power of deep learning, the DeepAV Engine provides advanced malware detection capabilities. The major features and policy configurations are as follows:

1. Advanced Malware Detection: Combines deep learning-based neural networks and machine learning (ML) for fast and accurate detection of malware families.
2. Manage Exclusions: You can exclude specific folders or applications from DeepAV engine to optimize performance and avoid minimizing resource usage. Depending on your risk tolerance, you can configure the DeepAV engine's sensitivity level to balance threat detection with potential false positives.

Behavior Detection Engine

The Behavior Detection Engine operates by continuously monitoring application behavior for suspicious activities that suggests a potential malware threat. The following are the main features and policy configurations:

1. Real-time Monitoring: Tracks deviations of programs from typical patterns that feature suspicious activities.
2. Behavior-based Allowlisting: Users can enhance the engine's precision by creating a allowlist of trusted applications, preventing them from triggering false positives during behavior monitoring.