Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureData Guardian

221

222

223

224

225

226

227

228

229

230

Security Management Server Virtual v10.2.7 AdminHelp

211

Escalation: LSASS

Read

Alert

Ignore

Alert

Block

Terminate

Specify the action to take when an LSASS read threat is detected.

Ignore - No action is taken against identified memory violations.

Alert - Record the violation and report the incident to the Dell Server.

Block - Block the process call if an application attempts to call a memory

violation process. The application that made the call is allowed to continue to

run.

Terminate - Block the process call if an application attempts to call a memory

violation process and terminate the application that made the call.

LSASS Read - Memory belonging to the Windows Local Security Authority

process has been accessed in a manner that indicates an attempt to obtain

users' passwords.

The LSASS Read escalation affects Windows operating systems. This policy

does not apply to Mac clients.

Escalation: Zero

Allocate

Alert

Ignore

Alert

Block

Terminate

Specify the action to take when a zero byte allocation threat is detected.

Ignore - No action is taken against identified memory violations.

Alert - Record the violation and report the incident to the Dell Server.

Block - Block the process call if an application attempts to call a memory

violation process. The application that made the call is allowed to continue to

run.

Terminate - Block the process call if an application attempts to call a memory

violation process and terminate the application that made the call.

Zero Allocate - A null page has been allocated. The memory region is typically

reserved, but in certain circumstances it can be allocated. Attacks can use this

to setup privilege escalation by taking advantage of some known null de-

reference exploit, typically in the kernel.

The Zero Allocate escalation affects Windows and macOS operating systems.

Execution Control

Prevent Service

Shutdown from

Device

Not Selected

Selected

Not Selected

If selected, the Advanced Threat Prevention service is protected from being

shut down either manually or by another process.

Kill Unsafe Running

Processes and Sub-

Processes

Not Selected

Selected

Not Selected

If selected, processes and sub-processes are quarantined and terminated

regardless of their state when a threat is detected (exe or dll). Although a

process or sub-process is terminated, the command prompt window remains

open.

If a file has been determined to be Safe and allowed to run and then a threat

model update occurs that results in the file being identified as unsafe, the

process is automatically terminated. Dell recommends that you review threat

model updates before Selecting this policy. For more information, see Threat

Model Updates.

Background Threat

Detection

Run Once

Disabled

Run Recurring

Run Once

If set to Run Recurring or Run Once, a full-

disk scan is run to detect and analyze

any dormant threats on the disk.

An update to the Threat Model triggers a full-disk scan.