Understanding High-Risk, Low-Risk, and Default process configuration and use
Last Modified: 3/3/2023
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Understanding High-Risk, Low-Risk, and Default process configuration and use
Technical Articles ID:
KB55139
Last Modified: 3/3/2023 Environment
Endpoint Security (ENS) Threat Prevention 10.x
Summary
Unless configured otherwise, ENS uses the On-Access Default Processes policies. The scanning configuration for this policy applies to all processes, including any file activity from those processes. Implementing the High-Risk Processes and Low-Risk Processes policies offers a means to configure the on-access scanner and streamline computer performance. For example, you can use the Low-Risk Processes policy to disable both scan on read and scan on write for any process added to the policy. This configuration allows the process to run while preventing scanning of the disk activity caused by the process. NOTE: This note applies to ENS Threat Prevention only. When using the Low-Risk Processes policy in the manner described above, don't add exclusions to the policy. Doing so can unintentionally introduce performance overhead, as the scanner has to validate the exclusion list. The exclusions aren't needed, because the disk activity caused by the processes added to the Low-Risk Processes policy isn't being scanned. The scenarios below can help you understand High-Risk Processes and Low-Risk Processes policies. Solution 1Scenario 1 - The Low-Risk Processes policy is configured with Scan on READ disabled. We use
With only the Default Processes policy in use, start With
What Risks Does This Scenario Introduce? Risk 1 - Assuming there’s a virus/trojan with an executable file named
Risk 2 - An infected file has been stored on the drive: This risk means the You can mitigate the risk by running an on-demand scan before you perform a backup:
Solution 2
Scenario 2 - Use the Low-Risk Processes policy to implement an exclusion. We use the With only the Default Processes policy in use:
You can add the
What Risks Does This Scenario Introduce?
Risk 2 - A READ action occurs to execute the infected file:
Related InformationThird-party applications can exhibit performance issues when run concurrently with ENS. But, an improvement can be seen when the application-specific processes are added to the Low-Risk Processes policy. Simply adding an application to the list of Low-Risk Processes doesn’t change the behavior of the on-access scanner. One or more options must be changed for Low-Risk processes to affect performance. Affected ProductsLanguages:This article is available in the following languages: |
|