Policies define OneView's behavior when running a scheduled scan, using Real-Time Protection, or monitoring Suspicious Activity. Policies are applied at the site and group level in OneView, and all endpoints in a group use the same policy.
- On the left navigation menu, click Configure > Policies.
- Click the + icon or select an existing policy.
- Select the Protection settings tab to see the specific settings available for each operating system.
Real-time protection features are part of your OneView Endpoint Protection or Endpoint Detection and Response subscription.
When you enable Real-time protection features, any needed plugins are automatically installed on your endpoints. We recommend using all OneView Endpoint Protection features for the best protection.
Blocks access to and from known or suspicious Internet addresses. Disabling this feature can affect the safety of your endpoints. Web protection also has advanced settings used for troubleshooting that should remain enabled. Only disable these with the guidance of ThreatDown Support:
- Outbound TCP: Enable or disable monitoring of outbound TCP connections.
- Inbound TCP: Enable or disable monitoring of inbound TCP connections.
- Outbound UDP: Enable or disable monitoring of outbound UDP connections.
Guards against vulnerability exploits for installed applications. When applications launch, Exploit Protection shields them. It can stop attacks that other security applications miss. Additional settings in this section include:
- Block potentially malicious email attachments: Prevents opening or saving email attachments that contain malicious file extensions in Microsoft Outlook's desktop client. Microsoft Outlook must be enabled in the Anti-exploit protected applications list.
- Manage protected Applications: Popular applications are automatically supported and can be seen here. You can also add your applications following this article: Add an application to Exploit Protection in OneView.
- Anti-exploit settings: Allows configuration of some anti-exploit measures. The default settings balance endpoint performance and anti-exploit protection. To keep you secure, some of these settings may not be changed.
IMPORTANT: We recommend not changing these settings unless instructed to by OneView Support. For more information, see Anti-Exploit settings in OneView.
This feature protects against malicious content that tries to execute on your endpoints. Malware comes from many sources, such as downloads, external drives, and email attachments. We recommend leaving Malware Protection on.
Behavior Protection safeguards against both known and unknown ransomware. Ransomware often remains undetected until it activates. We recommend keeping Behavior Protection enabled.
Block untrusted applications
This setting aims to completely block applications from known bad developers, preventing them from running on the endpoint. In this case, the app is not quarantined but incapable of running. Enable this feature to prevent malicious apps from executing on your Mac endpoints.
Prevents ads and ad trackers from loading on Safari browser for iOS devices.
These options control if OneView protects itself from tampering and access to USB drives. These features require Real-time protection to be enabled.
Options in this section are as follows:
Self-Protection: Create a "safe zone" to prevent malicious control of the Endpoint Agent. The self-protection module has a brief startup period.
- Boot Process: Makes Self-Protection start earlier when the endpoint is booting. This affects the startup order of services and software drivers.
Device Control: Control access when storage drives are connected via USB.
Note: macOS devices and devices utilizing Media Transfer Protocol or Picture Transfer Protocol are not currently supported.
Automatically scan and quarantine threats when a USB device is inserted: Checks for and removes threats found on USB devices when inserted.
- Allow full access to the device: Allow copying and modifying files to the device. Choose to scan the device before they are given access below this setting.
- Read-only access to the device: Allow copying files from the device and block modifying or copying files to the device. Choose to scan the device before they are given access below this setting.
- Block access to the device: Block modifying and copying files to the device.
Aggressive protection settings: Advanced security measures that can be enabled to provide enhanced protection against cyber attacks. These settings may result in more false positives and are ideal for devices often compromised.
CAUTION - They are disabled by default and should only be enabled after considering the impact on devices.
- Block penetration testing attacks: Aggressive exploit protection settings to detect penetration attacks. Ideal to be enabled during security audits.
- Enable hardening of MS Office applications: Disables macro execution from within Microsoft Office applications. Recommended to be used on devices that require more robust security.
- Enhance anomaly detections: Enables aggressive configuration for the anomaly detection technology.
- Enhance heuristic detections: Enables aggressive heuristic rules.
- Enhance sandbox detections: Enables aggressive configuration for our sandbox emulator.
Protection Updates are database updates used by scans and Real-time protection features. For more information on Protection updates.
Options in this section are as follows:
- Check for protection software updates: How often the endpoint checks for updates. Choose a period from 15 minutes to 7 days.
- Protection updates delay: Postpones the latest Protection Updates by 1, 3, or 5 hours. Choose a delay period or set No delay, which is recommended.
Important: Delays between Protection updates may reduce the risk of encountering a false positive but increase vulnerability to zero-day threats.
Additional Windows protection settings (Requires Real-time protection to be enabled)
These options affect when Real-time protection loads and how the security registers in the Windows Action Center.
- Delay real-time protection: How long the Real-Time Protection service is delayed. Adjust this option based on which services conflict with Real-Time Protection. The delay can range from 15 to 180 seconds.
Windows Action Center: The Windows Action Center alerts you when there is an issue needing attention. Register the Endpoint Agent as the primary Windows security solution on non-server endpoints. This allows the Windows Action Center to show notifications.
To verify which application is set as the primary protection service provider, run the following command in Command Prompt on the endpoint and look for the first or only application listed:
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
- Let Malwarebytes apply the best Windows Action Center settings: OneView determines if it should be registered as the primary protection service provider in the Windows Action Center. When OneView is registered in the Windows Action Center, Windows Defender is disabled. If OneView is temporarily disabled, Windows Defender re-enables itself. Use Microsoft GPO to keep Defender disabled if required.
- Never register Malwarebytes in the Windows Action Center: OneView is set as the secondary antivirus and never appears in Windows Action Center. Windows Defender remains as the primary antivirus.
- Always register Malwarebytes in the Windows Action Center: OneView is set as the primary antivirus and always appears in Windows Action Center. Windows Defender is disabled as a result.
Mobile protection updates
Mobile protection updates are database updates used by scans, ad blocking, and Real-time protection features. The database updates every hour when available. Options in this section are as follows:
- Allow protection updates over expensive networks: Allow protection updates to occur over cellular data.