New
We added two new prevention engines for the Next-Generation Antivirus (NGAV) add-on:
File & Process Manipulation Prevention: Malicious software can attempt to manipulate other software applications and processes to gain access to an asset’s internal files. This prevention engine prevents malware from making deceptive modifications to files and processes.
- Default agent action: Block
Data Encryption Prevention: Malicious software can introduce processes that silently encrypt files. This prevention engine will terminate the destructive process if it detects this behavior.
- Default agent action: Detect
Note: You can update the agent action to Block by editing the prevention engine in your Prevention Groups. However, it is recommended to monitor for Data Encryption alerts and add exclusions if alerts are triggered by benign activities before updating the agent action. As encryption can be destructive, the Block action would terminate the triggering process, which may be too aggressive.
The NGAV policy has been updated with new rules to extend its prevention capabilities in the following prevention engines:
- Malicious Document
- Living-Off-the-Land
- OS Credential Dumping
- File & Process Manipulation
- Data Encryption
Rule descriptions and recommendations can be found in InsightIDR > Detection Rules > Endpoint Prevention Rules.
Note: Rules related to the Data Encryption prevention engine require the latest version of NGAV.