Introduction
On the Endpoint Agent page (Administration section), you can adjust some preferences and behavior settings for endpoint agents installed on your organization’s devices.
Table of contents
- Overview
- Endpoint Agent Protection
- System Notifications (Active Response)
- Customizing the System Notification Message
Overview
Partners: endpoint agent preferences are set on a per-client basis. Ensure that the Organization Selector is set to the appropriate client before continuing.
From the Endpoint Agent page (Administration section), use the toggles within the Endpoint Preferences card to enable/disable each preference.
Currently, you can adjust the following preferences:
Endpoint Agent Protection
This feature is turned on by default and applied globally across all endpoint devices with our agent installed. If you need to disable Agent Protection for a specific endpoint, or set of endpoints, this can be done using the bulk editing feature found on the MDR Portal's Devices page. Visit our Help Center article to learn more about bulk editing endpoint.
Agent Protection keeps the endpoint agent running perpetually and prevents any user accounts (including administrators) from tampering with the endpoint agent.
Agent Protection keeps the endpoint agent running perpetually and prevents any user accounts (including administrators) from tampering with the endpoint agent.
It protects against attempts to uninstall, terminate, or otherwise interfere with the Field Effect MDR service and driver. Here is what can be expected from this feature, given a few scenarios:
- Attempts to uninstall the endpoint agent through Add/Remove Programs will appear to be successful. However, the uninstall will silently fail and continue running. It will also remain in the list of installed programs.
- Attempts to stop the endpoint agent service through the Service Control Manager will fail with an 'Access Denied' error.
- Attempts to tamper with Field Effect registry keys will fail with an 'Access Denied' error.
- Attempts to stop or disable the Field Effect driver or service using sc.exe on the command line will fail with an 'Access Denied' error.
- Attempts to delete or rename Field Effect executables will fail with an 'Access Denied' error.
- Attempts to terminate the Field Effect process through the task manager or command line will fail with an 'Access Denied' error.
Disabling Endpoint Protection
After uninstalling an endpoint agent, it will appear on the Devices page for 60 days after it is uninstalled.
Disabling the feature globally
If you decide that you want to disable endpoint protection globally, then you can do so using the toggle.
Disabling the feature for specific users
If you need to uninstall our endpoint agent from a set device(s) use the Devices page's Bulk Edit functionality.
With bulk editing, you can disable agent protection for only the devices that servicing, while keeping the rest of your fleet protected. See our Help Center article on Bulk Editing Endpoints.
System Notifications (Active Response)
Enabling this preference will display a system tray icon on every device running the endpoint agent. Notifications will also be sent to the user when a process has been blocked/terminated.
Note: system notifications will not give the user context as an event was blocked; it will only notify them that the blockage occurred. The notification’s corresponding ARO will contain detailed information and context.
Customizing the System Notification Message
See Active Protection: System Notifications for more on customizing Active Protection system notifications.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article