Intercept-X v2 - Enable Disable Protection

Hi Karl & Team,

I thought this questions might of general interest.

What is the plan about the green/grey "on-off" buttons which can turn off specific protection features for up to 4 hours in the Intercept-X agent setting tab?

Will there be a new on/off button for ML-Detections?

Will there be an individual on/off button for "Active Adversary" protection features?

Thanks.
Yannick

  • We will not have local override on the EP for ML or active adversary when tamper protection is disabled.

    There will be a policy control for ML in Central that can be turned on/off

    To disable Active Adversary protections you need to disable the exploit protections in Central.

     

    As a general practice we would like customers to leave the protections enabled and use the suppression mechanisms to address false positive detection. 
    - For ML that is the global "allowed applications"
         - You add an application to the allowed application list from the detection event during EAP


    - For Active Adversary/Exploits in general suppression/exclusion is through Scanning exclusions in the policy for detected exploit activity.  This is a narrow suppression of the specific technique detected for the application, so other applications are still protected from the technique and other techniques are still monitored for in the application.