implement Cylance PROTECT generalization

[MathiasK-SVA]

Fixes #89 - implements Cylance PROTECT generalization during preparation phase

[matthias-schlimm]

looks good so far, but ozzy must test it on custome rlevel

[matthias-schlimm]

let the pull request open until the script is fully tested

[ozzy01]

Hey guys, quick dumb question. This does look like the generalizations reg keys we know of, but errors out when testing due to the BIS-F PowerShell commandlets not being loaded. Was I not supposed to just run this as normal to test it or do I need to load your PowerShell commandlets first and run from somewhere else? The keys it is looking to delete are the ones we have noted for generalization.

[matthias-schlimm]

Checkout https://eucweb.com/kba/27190824

[ozzy01]

Perfect. I eft for day, but will run through next week when I am at synergy. See you guys there maybe.

[ozzy01]

Alright, so ran on our production image and this is what we have:

• It runs through OK and the big three reg keys for 'FP' 'FPMASK' and 'FPVERSION' are cleared out as we need.

• The 'SelfProtectionLevel' might be unique to something as I don't have that key at all. So maybe that is only turned on/or there is some other feature is enabled via management consoles. I'm not sure. But it doesn't error out on it, so no big deal.

• It does error on stopping the service, but I don't think it really needs to try and do so. With ours, Cyclance locks down the service and greys that out altogether so I can't even try to stop it manually which is why I am guessing the script is erroring on that before proceeding through and doing the reg keys.

• As mentioned, would probably be nice to also have the compatibility mode reg key as an option to enabled/disable as part of this one. Most all CVAD/RDSH environments will probably need it enabled. This script doesn't address that setting.

Here is screenshot:

[ozzy01]

@matthias-schlimm just wanted to make sure you saw my comment above. We have now been running the generalization part within the BIS-F framework for a bit and sealed several times. All good there (outside of it showing failed on stopping service as mentioned above). So yea, just the CTX recommended 'compatibility mode' would be a nice option to enable/disable as well for most environments to get added in for that one registry key.

[matthias-schlimm]

Yes, will update the code shorty to use the compatibility mode as you described

…

Am 07.06.2019 um 18:48 schrieb ozzy01 ***@***.***>: @matthias-schlimm just wanted to make sure you saw my comment above. We have now been running the generalization part within the BIS-F framework for a bit and sealed several times. All good there (outside of it showing failed on stopping service as mentioned above). So yea, just the CTX recommended 'compatibility mode' would be a nice option to enable/disable as well for most environments to get added in for that one registry key. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.