Home » Next-Gen Antivirus

Deploying Endpoint Detection and Response (EDR) Policy

Table of Contents

  1. General Settings
  2. Backup Settings
  3. Network Isolation Settings
  4. Anti-Ransomware Settings
    1. Ransomware Detection Engine
    2. Exfiltration Detection Engine
  5. Next-Gen Antivirus Settings
    1. DeepAV - Deep Learning based Antivirus
    2. Behavior Detection Engine
    3. Credential Hardening
    4. Anti-Malware Scan Interface
  6. Define Target
  7. Priority Order

To deploy a policy, Navigate to Policy -> Add Target Policy

Enter a name and description for the policy.

Policy Name and Description

General Settings:

User Endpoint Notifications:

  • Enabled: Users receive direct alerts on their endpoints for immediate action.
  • Disabled: No notifications are shown to users. Threats are still detected and blocked, but users are not alerted.

Server OS Protection:

  • Enabled: Applies the configured policy to Server OS endpoints (Windows Server, Linux Server) in the Custom Group, providing protection for server infrastructure.
  • Disabled: The policy only applies to workstation/desktop endpoints. Server operating systems are excluded from this policy's scope.

Keep Quarantined Files For:

  • Specifies the duration for which quarantined files are retained before automatic deletion.

General Settings

Backup Settings:

System Backup Creation:

  • Enabled: Enables the automatic creation of system backups; recommended to keep this setting enabled.
  • Disabled: No automatic backups are created. Not recommended unless backups are managed by another system.

Allocated Backup Storage:

  • Reserves the specified percentage of disk space exclusively for storing backups.

Backup Interval:

  • Defines how frequently backups should be created (in minutes).

Backup Settings

Network Isolation Settings:

Allowed IPs:

  • Specifies IP addresses that are permitted to communicate with isolated endpoints during network isolation.

Allowed Domains:

  • Specifies domain names that isolated endpoints are permitted to access during network isolation.

Network Isolation Settings

Anti-Ransomware Settings:

Anti-Ransomware policies are crucial for safeguarding an organization's data against encryption-based cyber threats. These policies help mitigate ransomware attacks by enabling proactive threat detection and ensuring secure data backups, allowing for swift recovery in case of an incident.

Ransomware Detection Engine

Prevention Policy:

  • Audit Only: Detects and alerts on identifying any ransomware incidents without taking any blocking action. This mode is ideal for initial deployment and testing, allowing security teams to analyze detection patterns and fine-tune policies before enforcement.
  • Kill Process: Blocks the execution of malicious processes by intercepting them before they can run and quarantines the endpoint from the network.

Detection Sensitivity:

  • Standard: Uses balanced detection thresholds that minimize false positives while catching known ransomware variants. Suitable for environments where business continuity is critical and interruptions from false detections must be avoided. May miss some zero-day or sophisticated ransomware variants.
  • Aggressive: Employs heightened detection thresholds that catch even subtle indicators of ransomware activity, including new and unknown variants. This mode may generate more false positives but provides stronger protection against emerging threats. Recommended for high-security environments or during active threat campaigns.

Decoy File Deployment:

  • Enabled: Deploys hidden decoy (honeypot) files strategically across the file system. These files act as tripwires—when ransomware attempts to encrypt them, the engine immediately detects the attack, often before legitimate files are affected. This provides early warning and faster response times.
  • Disabled: No decoy files are deployed. Detection relies solely on behavioral analysis of running processes. This may be preferred in environments where decoy files could interfere with specific applications or file integrity monitoring systems.

Ransomware Detection Engine

Exfiltration Detection Engine

Prevention Policy:

  • Audit Only: Detects and alerts on identifying any data exfiltration attempts without blocking them. Useful for understanding normal data flow patterns in your environment and identifying potential data leakage risks.
  • Kill Process: Blocks the execution of processes attempting unauthorized data exfiltration by intercepting them before they can run and quarantines the endpoint from the network.

Exfiltration Detection Engine

Next-Gen Antivirus Settings:

DeepAV - Deep Learning based Antivirus

DeepAV uses advanced deep learning neural networks to analyze file structures, code patterns, and binary characteristics. Unlike traditional signature-based antivirus that relies on known malware databases, DeepAV can identify both known and previously unseen (zero-day) malware by recognizing malicious patterns learned from millions of samples.

Detection Trigger:

  • On Execute: The file is scanned whenever a process is initiated. The file from which the process is being created will be scanned. This trigger is always active and cannot be disabled.
  • On DLL Load: The file scan is conducted when the Dynamic Link Libraries (DLLs) associated with a process are loaded. The DLL which was being loaded will be scanned.
  • On Write: Files are analyzed as they are written, identifying and blocking threats before execution. It is initiated when a file is acquired through a web browser download, or when it is transferred (copied/moved) from within or outside the system.

Prevention Policy:

  • Audit Only: Detects and alerts on identifying any malware incidents without blocking or quarantining them.
  • Kill Process: Blocks the execution of malicious processes by intercepting them before they can run and quarantines the endpoint from the network.

DeepAV - Deep Learning based Antivirus

Behavior Detection Engine

The Behavior Detection Engine monitors running processes in real-time, analyzing their actions against predefined threat behavior rules. Instead of scanning files for known signatures, it watches what programs actually do—detecting suspicious activities like unauthorized registry modifications, process injection, privilege escalation attempts, or communication with command-and-control servers. This behavioral approach catches zero-day threats and fileless malware that evade traditional detection.

Prevention Policy:

  • Audit Only: Detects and alerts on identifying any malicious behavior without taking any blocking action.
  • Kill Process: Blocks the execution of malicious processes by intercepting them before they can run and quarantines the endpoint from the network.

Behavior Detection Engine

Credential Hardening

Credential Hardening protects authentication credentials stored on endpoints from theft and misuse. Attackers commonly target credentials stored in memory (LSASS), Windows credential stores (SAM database), browser password managers, and cached tokens. This module prevents credential dumping attacks used in lateral movement, pass-the-hash, and privilege escalation techniques commonly employed in advanced persistent threats (APTs).

Credential Hardening:

  • Audit Only: Detects and alerts on identifying any credential theft attempts without blocking them.
  • Kill Process: Blocks the execution of processes attempting to harvest or steal credentials by intercepting them before they can run and quarantines the endpoint from the network.

LSASS Protection (RunAsPPL) prevents unauthorized access to the Local Security Authority Subsystem Service (LSASS) process, which is responsible for enforcing security policies and storing sensitive credentials.

LSASS Protection (RunAsPPL):

  • Enabled: Restricts DLL's or other processes from accessing LSASS memory.
  • Disabled: Allows DLL's processes to access LSASS memory, increasing the risk of credential theft.

Credential Hardening

Note: When RunAsPPL is enabled, no unsigned DLLs can access the LSASS. This may affect environments with custom IAM solutions. It is recommended to test this setting in a staging environment before deploying it in production.

Anti-Malware Scan Interface

Anti-Malware Scan Interface is a Windows security framework that allows applications to request malware scans of content at runtime. This module integrates with AMSI to inspect scripts (PowerShell, VBScript, JavaScript, Office macros) and dynamically-loaded code before execution. It is particularly effective against fileless malware, obfuscated scripts, and living-off-the-land attacks that abuse legitimate system tools.

Prevention Policy:

  • Audit Only: Detects and alerts on identifying any malicious script content without blocking execution.
  • Kill Process: Blocks the execution of malicious script content by intercepting them before they can run and quarantines the endpoint from the network.

Anti-Malware Scan Interface

Define Target:

Target Groups:

  • Select Custom Group to which policy should be applied.

Define Target

Click Deploy to apply the policy to the selected target computers.

Priority Order:

Priority Order determines which policy takes precedence when multiple policies are assigned to the same target and have conflicting settings. It establishes a clear hierarchy among policies to resolve conflicts predictably.

Managing Priority Order:

  1. Navigate to Policy -> Priority Order.
  2. Move the policy which needs to have higher priority to the top.
  3. Click Save to apply the changes.

Priority Order

Trusted by