Control Host Sensor Actions

Threat Detection and Response (TDR) includes several features that work together to control the actions an installed Host Sensor can take on a host.

Host Sensor Settings

Host Sensor settings control the behavior of the Host Sensor.

To configure the Host Sensor settings, select the Host Ransomware Prevention Mode:

  • Off
  • Prevent
  • Detect

If you select Prevent, the Host Sensor takes automatic action to prevent ransomware, even if the host is not connected to the Internet or cannot communicate with your TDR account. For more information, see Host Ransomware Prevention.

A TDR user must have Administrator credentials to configure the global Host Sensor settings. A TDR user must have Operator credentials to configure Host Sensor settings in a group that take precedence over the global Host Sensor settings.

For information about how to configure global Host Sensor settings, see Configure TDR Host Sensor Settings

For information about how to configure Host Sensor settings for a group that take precedence over the global settings, see Manage TDR Groups.

Policies

Policies define the actions that a Host Sensor can take automatically based on a CYBERCON threshold and a Threat Score threshold. You can configure policies for individual hosts or groups.

For information about how configure policies for TDR, see Configure TDR Policies

For information about Threat Scores, see About TDR Threat Scores

CYBERCON Level

The CYBERCON level specifies which of the configured policies are active.

For information about CYBERCON levels, see About TDR CYBERCON Levels

Exclusions

An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any events created by a file or process that originate from the specified directory. You can also include all subdirectories in the exclusion.

For more information about Exclusions, see Configure TDR Exclusions

Signature Overrides

You can also configure TDR signature overrides. Signature overrides do not affect which files are scanned by TDR, but they do affect how ThreatSync assigns a score to an event that is reported by a Host Sensor. When you add a signature override, you specify the MD5 values of a file or process and then specify whether to treat the file as safe (on the Whitelist) or malicious.

For more information, see Configure TDR Signature Overrides.

Give Us Feedback     Get Support     All Product Documentation     Technical Search