The Aggressive Mode executes strict rules for ensuring the utmost security by allowing only the recognized calls with identified parameters from monitored operation processes.
See below as an example of how the Aggressive Mode works.
-
When you select the Learn mode under the Operations Behavior Anomaly Detection, the following process is learned:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument1
-
-
When you switch to the Detect or Enforce mode without enabling the Aggressive Mode, StellarProtect will not block recognized program calls with unidentified parameters, thus the following process is allowed:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument2
Note:The script.ps1 argument2 is the new data that's passed into the process and thus changes the process' parameter, which does not count as an unrecognized application in the process when the Aggressive Mode is disabled.
-
-
When the Aggressive Mode is enabled, no matter it's under the Detect or Enforce mode, the following process is not allowed:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument2
Note:The script.ps1 argument2 is detected as an unrecognized parameter that must be blocked when Aggressive Mode is enabled.
-
-
In conclusion, when Aggressive Mode is enabled, only the exact process (the process learned in Step 1) is allowed:
-
explorer.exe → cmd.exe → powershell.exe → script.ps1 argument1
-