Skip to content

Commit

Permalink
Defend - Malware scanning on modification toggle (#5196) (#5218)
Browse files Browse the repository at this point in the history
* First draft

* Update configure-integration-policy.asciidoc

* Apply suggestions from review

Co-authored-by: Gabriel Landau <[email protected]>

* Apply suggestions from review

Co-authored-by: Nastasha Solomon <[email protected]>

---------

Co-authored-by: Gabriel Landau <[email protected]>
Co-authored-by: Nastasha Solomon <[email protected]>
(cherry picked from commit e7d743a)

Co-authored-by: Joe Peeples <[email protected]>
  • Loading branch information
mergify[bot] and joepeeples authored May 15, 2024
1 parent 4e633f1 commit fa163df
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions docs/getting-started/configure-integration-policy.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -59,22 +59,24 @@ to create a new trusted application, go to **Manage** -> **Trusted applications*
that looks for static attributes to determine if a file is malicious or benign.

By default, malware protection is enabled on Windows, macOS, and Linux hosts.
To disable malware protection, switch the **Malware protections enabled** toggle off.
To disable malware protection, turn off the **Malware protections** toggle.

Malware protection levels are:

* **Detect**: Detects malware on the host and generates an alert. The agent will **not** block malware.
You must pay attention to and analyze any malware alerts that are generated.
* **Prevent** (Default): Detects malware on the host, blocks it from executing, and generates an alert.

These additional options are available for malware protection:

* **Blocklist**: Enable or disable the <<blocklist,blocklist>> for all hosts associated with this {elastic-defend} policy. The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious.

* **Scan files upon modification**: By default, {elastic-defend} scans files every time they're modified, which can be resource-intensive on hosts where files are frequently modified, such as servers and developer machines. Turn off this option to only scan files when they're executed. {elastic-defend} will continue to identify malware as it attempts to run, providing a robust level of protection while improving endpoint performance.

Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the *Prevent* option.

TIP: Platinum and Enterprise customers can customize these notifications using the `Elastic Security {action} {filename}` syntax.

Malware protection also allows you to manage a blocklist to prevent specified applications from running on hosts,
extending the list of processes that {elastic-defend} considers malicious. Use the **Blocklist enabled** toggle
to enable or disable this feature for all hosts associated with the integration policy. To configure the blocklist, refer to <<blocklist>>.

[role="screenshot"]
image::images/install-endpoint/malware-protection.png[Detail of malware protection section.]

Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit fa163df

Please sign in to comment.