powershellProtection Object

The powershellProtection object contains the basic details of the Fileless Protection settings in a sensor policy, including:

Field

Type

Description

enabled

Boolean

Indicates whether Fileless Protection is enabled for the sensors assigned to this policy.

downloadExecute

Enum

Indicates the mode to use to detect and prevent downloaded payloads. Possible values include:

  • DISABLED: Do not detect or prevent downloaded payloads.

  • DETECT: Detect downloaded payloads but do not prevent their execution.

  • PREVENT: Detect and prevent downloaded payloads.

maliciousDownloads

Enum

Indicates the mode to use to detect and prevent the execution of malicious content from memory. Possible values include:

  • DISABLED: Do not detect or prevent malicious content from memory.

  • DETECT: Detect the execution of malicious content from memory but do not prevent their execution.

  • PREVENT: Detect and prevent the execution of malicious content from memory.

urlAndDomainExclusions

Array

An object containing a list of domain name exclusions from the downloadExecute and maliciousDownloads options. If you do not want to add any exclusions, leave this array empty.

file

String

The domain or URL to exclude.

modifiedBy

String

The Cybereason user name for the user creating the policy.

lastModified

Long

The time (in milliseconds) when you create the policy.

scriptAnalysis

Enum

Indicates the mode to use to detect and prevent malicious content from downloaded scripts. Possible values include:

  • DISABLED: Do not detect or prevent malicious content from scripts.

  • DETECT: Detect malicious content in scripts but do not prevent its execution.

  • PREVENT: Detect and prevent malicious content in scripts.

patternExclusions

Array

A list of patterns to exclude from script analysis. If you do not want to exclude any patterns, leave this array empty.

file

String

The pattern to exclude. For details on how to find the pattern, see Exclude patterns from Fileless Protection.

modifiedBy

String

The Cybereason user name for the user creating the policy.

lastModified

Long

The time (in milliseconds) when you create the policy.

floatingLoadedModules

Enum

Indicates the mode to use to detect and prevent the use of floating modules. Possible values include:

  • DISABLED: Do not detect or prevent the execution of floating modules.

  • DETECT: Detect the execution of floating modules but not prevent them.

  • PREVENT: Detect and prevent the execution of floating modules.

file

String

The module name to exclude.

modifiedBy

String

The Cybereason user name for the user creating the policy.

lastModified

Long

The time (in milliseconds) when you create the policy.

moduleExclusions

Array

A list of modules to exclude from detection and prevention of malicious floating modules. If you do not want to exclude any patterns, leave this array empty.

dotNetToJScript

Enum

Indicates the mode to use to detect and prevent the use of the .NET to JScript technique. Possible values include:

  • DISABLED: Do not detect or prevent the execution of the .NET to JScript technique.

  • DETECT: Detect but do not prevent the use of the .NET to JScript technique.

  • PREVENT: Detect and prevent the execution of the .NET to JScript technique.

processExclusions

Array

A list of processes to exclude from fileless protection. If you do not want to exclude any processes, leave this array empty.

file

String

The name of the process to exclude.

modifiedBy

String

The Cybereason user name for the user creating the policy.

lastModified

Long

The time (in milliseconds) when you create the policy.

dotNetEnabled

Boolean

Indicates whether to use the .NET module as part of fileless protection.

amsiEnabled

Boolean

Indicates whether to use the AMSI module as part of fileless protection.