Control Host Sensor Actions

Threat Detection and Response (TDR) includes several features that work together to control the actions an installed Host Sensor can take on a host.

For recommendations and best practices, see TDR Deployment Best Practices.

Host Sensor Settings

Global Host Sensor settings are configured with recommended values by default. You can also configure Host Sensor settings for a group to override the global Host Sensor settings. The Host Ransomware Prevention Mode applies to Windows Host Sensors. When configured in Prevent mode, Windows Host Sensors take automatic action to prevent ransomware, even if the host is not connected to the Internet or cannot communicate with your TDR account.

For information about Host Ransomware Prevention, see About TDR Host Ransomware Prevention.

For information about how to configure global Host Sensor settings, see Configure TDR Host Sensor Settings.

For information about how to configure Host Sensor settings for a group that take precedence over the global settings, see Manage TDR Groups.


Policies define the actions that a Host Sensor can take automatically based on a CYBERCON threshold and a Threat Score threshold. You can configure policies for individual hosts or groups.

For information about how configure policies for TDR, see Configure TDR Policies.

For information about Threat Scores, see About TDR Threat Scores.


The CYBERCON level specifies which of the configured policies are active.

For information about CYBERCON levels, see About TDR Cybercon Levels


Containment shuts down network connections on a specific host so that threats cannot spread through the network. Hosts can be contained manually or contained automatically based on a containment policy. Containment exceptions specify the network traffic that is allowed when a host is contained.

For more information about containment, see Configure TDR Containment.


An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any events created by a file or process that originate from the specified directory. You can also include all subdirectories in the exclusion.

For more information about Exclusions, see Configure TDR Exclusions.

Signature Overrides

You can also configure TDR signature overrides. Signature overrides do not affect which files are scanned by TDR, but they do affect how ThreatSync assigns a score to an event that is reported by a Host Sensor. When you add a signature override, you specify the MD5 values of a file or process and then specify whether to treat the file as safe (on the Allowlist) or malicious.

For more information, see Configure TDR Signature Overrides.