How to safeguard Endpoint Prevention

Endpoint Prevention availability

Endpoint Prevention is available to Managed Detection and Response and Managed Threat Complete customers who also have the Next-Generation Antivirus or Ransomware Prevention add-ons.

Security settings for Next-Generation Antivirus

Windows-only feature

Tamper Protection and Password Protection are currently only available for assets running Windows operating systems.

Attackers often attempt to tamper with endpoint security solutions, so that they can freely perform malicious activities without being detected.

The Tamper Protection engine contains rules that protect the Next-Generation Antivirus add-on component of the Insight Agent, therefore protecting your assets continuously. When Tamper Protection is turned on, it prevents malware and bad actors from tampering with the files and functionality of Next-Generation Antivirus. It also offers the option of turning on Password Protection.

Using a one-time passcode (OTP) or a fixed password allows you to limit the users who can update, stop, or uninstall the Next-Generation Antivirus add-on. You can activate password protection at both the organizational level and for individual prevention groups that require extra security.

Types of password protection

You may find that you are unsure when to choose between a one-time passcode and a fixed password. Use this guidance to help you make the right decision and provide maximum protection for your assets:

  • One-Time Passcode (recommended) - After you enable Password Protection, the system begins generating a passcode at regular intervals. This passcode can be viewed and used for a limited amount of time to update, stop, or uninstall Next-Generation Antivirus (see the steps for setting the validation window). After the passcode expires, a newly generated passcode can be used. This passcode is valid even when the machine is disconnected from the Insight Platform.
  • Fixed Password - In addition to the one-time passcode, you can set an optional, fixed password. Having a fixed password is useful when you want to update your Insight Agents or uninstall them, because these tasks can take some time to complete and the OTP becomes impractical. You can use a fixed password across the entire organization, which covers all prevention groups, or you can specify a password for individual prevention groups, which will override the central password. This is useful in situations where your organization has a large number of prevention groups and multiple group administrators, because each admin can use a specific password to manage the groups that are assigned to them.

Password Protection is dependent on Tamper Protection being active

Password Protection can be enabled and configured only when Tamper Protection is turned on.

How to turn Tamper Protection on or off

Tamper Protection is enabled by default, both at the organizational level and for any newly created prevention group. For continuous protection from attacks, it is recommended that you keep it enabled. However, there are some situations where you might need to turn it off.

To turn Tamper Protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Turn the Tamper Protection toggle on or off.

Tamper Protection actively protects all of the prevention groups in your organization. However, if you decide that one or more prevention groups require no protection, you can turn it off.

To turn Tamper Protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Turn the Tamper Protection for Windows toggle on or off.

Tamper Protection works in Active Prevention mode only

For Tamper Protection to be effective, ensure that the activation mode is set to Active Prevention. Read more about activation modes.

How to turn Password Protection on or off

Password protection ensures that users cannot update, stop, or uninstall Next-Generation Antivirus without either a passcode or a password.

Password protection is disabled by default and must be switched on before you can use it.

You can apply password protection to the entire organization or set a specific password on an individual prevention group.

To turn password protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Ensure that the Tamper Protection toggle is turned on.
  4. Turn the Password Protection toggle on or off.

To turn password protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Ensure that the Tamper Protection toggle is turned on.
  6. Turn the Password Protection toggle on or off.

Get the one-time passcode

The one-time passcode is the most secure option, because the passcode refreshes after a short interval and cannot be guessed by attackers.

Because you must enter the passcode in the update, stop, or uninstall commands, you must decide the validation window that you can allow before the passcode expires.

To get the one-time passcode:

  1. Click Data Collection > Agents.
  2. Select the Endpoint Prevention tab and click Security Settings.
  3. Under Password Protection, click Get One-Time Passcode.
  4. The One-Time Passcode modal displays, where you can copy and paste the passcode into a text editor or directly into your command prompt.

The remaining time is displayed, which tells you how much time you have to use that passcode before it expires and a new one is generated.

To set the validation window:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Edit Validation Window.
  4. Select a time frame.
  5. Click Save.

Use a short validation window for better protection

To limit the security risk, it is recommended that you select the shortest feasible validation window.

Create a fixed password

The fixed password is an optional setting for the Next-Generation Antivirus add-on. It isn't required, because by configuring a fixed password, you increase the risk of a security breach. By comparison, one-time passcodes are more secure and are therefore recommended.

However, a fixed password can be useful when your Insight Agent configuration work will take longer than a one-time passcode will allow. For example, updating or uninstalling Next-Generation Antivirus Insight Agents can take some time and sometimes require multiple users to complete.

When you no longer need your fixed password, it is best to remove it and use a one-time passcode.

Note: Because your password is used as a parameter in a command, it must not contain characters that will abort the command. For example, these characters are invalid for a fixed password: < > " : * ? \ / |

To create a password:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Create Password.
  4. Enter a password and confirm the password you entered.
  5. Click Save.

To create a password for a prevention group:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Under Password Protection, click Create Password.
  5. Enter a password and confirm the password you entered.
  6. Click Save.

Security settings for Ransomware Prevention

Attackers often attempt to tamper with endpoint security solutions, so that they can freely perform malicious activities without being detected.

The Tamper Protection engine contains rules that protect the Insight Agent components powering the Ransomware Prevention add-on, therefore protecting your assets continuously. When Tamper Protection is turned on, it prevents malware and bad actors from tampering with the files and functionality of Ransomware Prevention. It also offers the option of turning on Password Protection.

Using a one-time passcode (OTP) or a fixed password allows you to limit the users who can update, stop, or uninstall the Ransomware Prevention add-on. You can activate password protection at both the organizational level and for individual prevention groups that require extra security.

Types of password protection

You may find that you are unsure when to choose between a one-time passcode and a fixed password. Use this guidance to help you make the right decision and provide maximum protection for your assets:

  • One-Time Passcode (recommended) - After you enable Password Protection, the system begins generating a passcode at regular intervals. This passcode can be viewed and used for a limited amount of time to update, stop, or uninstall Ransomware Prevention (see the steps for setting the validation window). After the passcode expires, a newly generated passcode can be used. This passcode is valid even when the machine is disconnected from the Insight Platform.
  • Fixed Password - In addition to the one-time passcode, you can set an optional, fixed password. Having a fixed password is useful when you want to update your Insight Agents or uninstall them, because these tasks can take some time to complete and the OTP becomes impractical. You can use a fixed password across the entire organization, which covers all prevention groups, or you can specify a password for individual prevention groups, which will override the central password. This is useful in situations where your organization has a large number of prevention groups and multiple group administrators, because each admin can use a specific password to manage the groups that are assigned to them.

Password Protection is dependent on Tamper Protection being active

Password Protection can be enabled and configured only when Tamper Protection is turned on.

How to turn Tamper Protection on or off

Tamper Protection is enabled by default, both at the organizational level and for any newly created prevention group. For continuous protection from attacks, it is recommended that you keep it enabled. However, there are some situations where you might need to turn it off.

To turn Tamper Protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Turn the Tamper Protection toggle on or off.

Tamper Protection actively protects all of the prevention groups in your organization. However, if you decide that one or more prevention groups require no protection, you can turn it off.

To turn Tamper Protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Turn the Tamper Protection for Windows toggle on or off.

Tamper Protection works in Active Prevention mode only

For Tamper Protection to be effective, ensure that the activation mode is set to Active Prevention. Read more about activation modes.

How to turn Password Protection on or off

Password protection ensures that users cannot update, stop, or uninstall Ransomware Prevention without either a passcode or a password.

Password protection is disabled by default and must be switched on before you can use it.

You can apply password protection to the entire organization or set a specific password on an individual prevention group.

To turn password protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Ensure that the Tamper Protection toggle is turned on.
  4. Turn the Password Protection toggle on or off.

To turn password protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Ensure that the Tamper Protection toggle is turned on.
  6. Turn the Password Protection toggle on or off.

Get the one-time passcode

The one-time passcode is the most secure option, because the passcode refreshes after a short interval and cannot be guessed by attackers.

Because you must enter the passcode in the update, stop, or uninstall commands, you must decide the validation window that you can allow before the passcode expires.

To get the one-time passcode:

  1. Click Data Collection > Agents.
  2. Select the Endpoint Prevention tab and click Security Settings.
  3. Under Password Protection, click Get One-Time Passcode.
  4. The One-Time Passcode modal displays, where you can copy and paste the passcode into a text editor or directly into your command prompt.

The remaining time is displayed, which tells you how much time you have to use that passcode before it expires and a new one is generated.

To set the validation window:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Edit Validation Window.
  4. Select a time frame.
  5. Click Save.

Use a short validation window for better protection

To limit the security risk, it is recommended that you select the shortest validation window possible.

Create a fixed password

The fixed password is an optional setting for the Ransomware Prevention add-on. It isn't required, because by configuring a fixed password, you increase the risk of a security breach. By comparison, one-time passcodes are more secure and are therefore recommended.

However, a fixed password can be useful when your Insight Agent configuration work will take longer than a one-time passcode will allow. For example, updating or uninstalling multiple Insight Agents can take some time and sometimes require multiple users to complete.

When you no longer need your fixed password, it is best to remove it and use a one-time passcode.

Note: Because your password is used as a parameter in a command, it must not contain characters that will abort the command. For example, these characters are invalid for a fixed password: < > " : * ? \ / |

To create a password:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Create Password.
  4. Enter a password and confirm the password you entered.
  5. Click Save.

To create a password for a prevention group:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Under Password Protection, click Create Password.
  5. Enter a password and confirm the password you entered.
  6. Click Save.