NOTE: The possible start types are: boot | system | auto | demand | disabled | delayed-auto
Live Response is enabled by default and can be disabled by a request to Support.
The event that is sent when the service is disabled contains the original start type and displays in the user interface. The user needs this data to return the start type to its original value. If the start type changes to boot, auto or delayed-auto, they must reboot.
Malicious services that run at start-up have the potential to execute and impact the endpoint before the sensor starts up.
If the sensor disables the malware service, the service(s) remain in disabled state across reboots, and therefore cannot execute at startup.
If a service binary in question was not malicious or if some other tool is used to clean the malware, then the sensor will not automatically enable the service again.
This feature only applies to files with a Known Malware reputation, so it is possible that files with Company Blacklist, Suspect/Heuristic Malware, Adware/PUP Malware reputation may execute on device boot-up if they are started before the sensor service
This feature will not take effect if prevention rule "Known malware Runs or is running" Deny\Terminate is not enabled on the device policy