Skip to content Skip to site navigation

Change Cb Protection Enforcement Modes

Follow these steps to change Cb Protection enforcement modes.

Upgrading from Disabled mode to Visibility mode

  • When moving a system out of Disabled mode, the agent performs an Initialization of the file system and locally approves all Interesting files by hash.
  • Initialization should not traverse your remote shares. Unmount these for the duration of Initialization.
  • Individually move Virtual systems that share the same physical drives to Visibility mode, if there is concern that the shared physical drives will be unable to handle the load.
  1. Pick a time to move your systems when they have low hard drive utilization.
  2. Make a list of systems that can be moved at the same time, and assess the impact on any virtual drives or potential server downtime.
  3. Select your systems using the admin console, and move them into a policy in Visibility enforcement mode, such as ISO – Visibility.

Upgrading from Visibility mode to Medium enforcement mode

  • When moving a system out of Disabled mode, the agent performs an Initialization of the file system and locally approves all Interesting files by hash. This means that any existing software will be trusted to access the file system.
  • Switching into a higher enforcement mode will not result in any existing executables being blocked. The initialization process can be I/O intensive, as it has to scan the full disk. Virtual server environments should take this into account, and spread out upgrades to avoid overloading the backing storage.
  • Initialization should not traverse your remote shares. Unmount these for the duration of Initialization.
  1. Exercise your systems through their installation and update cycles.
  2. Review monitored events to see what Interesting unapproved files have been executed on the system.
  3. If you see known trusted files that you expect to use on this list, approve them locally.
    • These files should be allowed to execute throughout your environment. Approve them for your policy.
    • If these files are dynamic and have a changing hash value, write a custom rule that can accurately identify them without opening up an approve path that undermines Cb Protection.
  4. Pick a time to move your systems when they have low hard drive utilization.
  5. Make a list of systems that can be moved at the same time, and assess the impact on any virtual drives and potential downtime.
  6. Use the admin console to select one of your systems and move it into a Medium enforcement policy, such as ISO – Medium.
  7. Review your logs to ensure that nothing is being blocked incorrectly.
  8. Move several systems to a Medium enforcement policy, and review the logs again.
  9. Move the remaining systems into your Medium enforcement policy, and review your logs.
  10. Make sure administrators of the servers in Medium enforcement mode know how to respond to blocked event pop-ups, and can review the resulting events.

Upgrading from Medium enforcement mode to High enforcement mode

Note: When moving a system from Medium to High enforcement mode, the system will not Initialize because the initial enforcement mode is Medium or higher.

  1. While managing your servers, make notes of any blocked events that occur, and adjust workflows, file approvals, and rules to address those events.
  2. When you understand all the events in your log, schedule your systems’ migration into High enforcement mode.
  3. Start upgrading your systems to High enforcement after they have been in Medium enforcement for a month, and they have been through a patching cycle in Medium enforcement without triggering any blocking events.
  4. Review the events to see what Interesting unapproved files will be blocked in High enforcement mode.
  5. Upgrade one machine to a policy in High enforcement mode and review the logs to ensure that nothing is being blocked incorrectly.
  6. Move several systems to a policy in High enforcement mode and review the logs.
  7. Move the remaining systems and review the logs.

See Cb Protection Frequently Asked Questions for more information, or submit a Help ticket.

Last modified April 25, 2017