Aurora Protect Desktop 3.x introduces various memory protection enhancements and increased visibility into the activity of the applications and processes on a device. In some situations, applications perform operations that could be considered malicious, but are performed for legitimate purposes. Arctic Wolf recommends following the steps and best practices below to ensure the proper tuning of the Aurora Protect Desktop 3.x agent before you deploy it to your production environment. For more information about memory protection violation types, see Device policy: Memory Protection settings in the Aurora Endpoint Security setup content.
In the management console, on the menu bar, click Policies > Device Policy.
Click the device policy for your test devices.
On the Memory Actions tab, select the Memory Protection check box.
In the Violation Type table, expand Exploitation, Process Injection, and Escalation. For all violation types listed under Available for Agent Version 2.1.1580 and higher and Available for CylancePROTECT 3.0 and higher, select the ALERT action.
Save the device policy.
Run Aurora Protect Desktop 3.x on your test devices and review alerts to determine the risk of these exploits within your environment. If any of these alerts are low risk and will cause business impact, you can add targeted memory protection exclusions. For instructions and guidance, see Memory Protection.
It is recommended that you restart each test device after you install or upgrade to Aurora Protect Desktop 3.x.
After you review alerts and add the necessary exclusions, you can change the violation type actions in the device policy as necessary (for example, Block or Terminate).
