The Aggressive Mode executes strict rules for ensuring the utmost security by allowing only the recognized calls with identified parameters from monitored operation processes.
Below is an example of how the Aggressive Mode works.
-
When users select the Learn mode under the Operations Behavior Anomaly Detection, the following process is learned:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument1
-
-
When users switch to the Detect or Enforce mode and disable the Aggressive Mode, StellarProtect will not block recognized program calls with unidentified parameters, thus the following process is allowed:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument2
Note:The argument2 is the new data that's passed into the process and thus changes the process' parameter, which does not count as an unrecognized application in the process when Aggressive Mode is disabled.
-
-
When the Aggressive Mode is enabled, no matter it's under the Detect or Enforce mode, the following process is not allowed:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument2
Note:The argument2 is detected as an unrecognized parameter that must be blocked when Aggressive Mode is enabled.
-
-
In conclusion, when Aggressive Mode is enabled, only the exact process (the process learned in Step 1) is allowed:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument1
-