Office Plugin
Cyberhaven makes use of a set of Office plugins to trace and block user actions performed in Office applications such as Outlook, Word, Excel, and PowerPoint. The following four plugins are installed along with the Sensor.
- CyberhavenOutlookMonitor
- CyberhavenWordMonitor
- CyberhavenExcelMonitor
- CyberhavenPowerPointMonitor
To prevent Office plugins from being automatically disabled due to performance issues or by non-admin users, you can configure them as managed add-ins by setting a registry entry. This prevents users from disabling the plugins unless they have admin privileges to remove the registry keys. This configuration can be set up using group policy objects (GPO) or other endpoint management tools.
Additionally, the Sensor sets specific Windows Registry policies when it starts, which ensures that non-admin users cannot disable plugins via Office settings, or the system does not disable the plugins based on internal performance metrics.
The following are the Windows Registry policies set by the Sensor.
[HKEY_USERS\*\Software\Policies\Microsoft\Office\16.0\Outlook\Resiliency\AddinList]
"CyberhavenOutlookMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\16.0\Outlook\Resiliency\AddinList]
"CyberhavenOutlookMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\15.0\Outlook\Resiliency\AddinList]
"CyberhavenOutlookMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\15.0\Outlook\Resiliency\AddinList]
"CyberhavenOutlookMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\14.0\Outlook\Resiliency\AddinList]
"CyberhavenOutlookMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\14.0\Outlook\Resiliency\AddinList]
"CyberhavenOutlookMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\16.0\Word\Resiliency\AddinList]
"CyberhavenWordMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\16.0\Word\Resiliency\AddinList]
"CyberhavenWordMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\15.0\Word\Resiliency\AddinList]
"CyberhavenWordMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\15.0\Word\Resiliency\AddinList]
"CyberhavenWordMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\14.0\Word\Resiliency\AddinList]
"CyberhavenWordMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\14.0\Word\Resiliency\AddinList]
"CyberhavenWordMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\16.0\Excel\Resiliency\AddinList]
"CyberhavenExcelMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\16.0\Excel\Resiliency\AddinList]
"CyberhavenExcelMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\15.0\Excel\Resiliency\AddinList]
"CyberhavenExcelMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\15.0\Excel\Resiliency\AddinList]
"CyberhavenExcelMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\14.0\Excel\Resiliency\AddinList]
"CyberhavenExcelMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\14.0\Excel\Resiliency\AddinList]
"CyberhavenExcelMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\16.0\PowerPoint\Resiliency\AddinList]
"CyberhavenPowerPointMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\16.0\PowerPoint\Resiliency\AddinList]
"CyberhavenPowerPointMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\15.0\PowerPoint\Resiliency\AddinList]
"CyberhavenPowerPointMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\15.0\PowerPoint\Resiliency\AddinList]
"CyberhavenPowerPointMonitor"="1"
[HKEY_USERS\*\Software\Policies\Microsoft\Office\14.0\PowerPoint\Resiliency\AddinList]
"CyberhavenPowerPointMonitor"="1"
[HKEY_USERS\*\Software\Wow6432Node\Policies\Microsoft\Office\14.0\PowerPoint\Resiliency\AddinList]
"CyberhavenPowerPointMonitor"="1"
The registry keys are protected by standard Windows permissions, which means that only Admin users can make changes to them. Cyberhaven sets these values only if there are no pre-existing values set for the same keys. This allows a system admin to set up their own policies through GPO without the risk of Cyberhaven overwriting any custom values that were set by the admin.
Outlook Plugin
The OutlookMonitor plugin can trace Outlook email attachments even when the default Cached Exchange Mode is disabled.
If Microsoft Outlook is running in a user's session when the Cyberhaven Sensor is first installed, email flows involving Outlook will not be tracked until Outlook is restarted. Until then, sensor health may be degraded, with the console showing a "Restart Outlook" message under the required action column in the endpoint sensor management screen.
Troubleshooting
The workflow to debug issues is to go through the following steps:
- Confirm that the issue manifests without the Outlook plugin. 2. Send a diagnosis bundle.
- Send support TRACE-level logs
- Enabling TRACE level debugging for Outlook:
- Close Outlook if it is running.
- Open Notepad as administrator.
- From Notepad, open file c:\program files\cyberhaven\settings core.json (it might require changing the file type in the file open dialog to "All files" to view the file).
- Locate this section:
"Logging": { "Level": "INFO", "PushIntervalSeconds": 60 },and change it to:"Logging": { "Level": "TRACE", "PushIntervalSeconds": 60 }, - Close the file
- Start Outlook
- Enabling TRACE level debugging for Outlook:
Note: Running with TRACE level for Outlook has high overhead, so please revert the change back to INFO as soon as the issue was reproduced.
Disable temporarily the Outlook plugin on a host
WARNING: use only for debugging on hosts that are experiencing issues, changes made to the local registry will need to be reverted manually to restore the plugin.
-
Open regedit as Administrator
-
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\CyberhavenOutlookMonitor
-
Rename value Manifest to something else, e.g., !Manifest as shown in the screenshot below
-
(Re)Start Outlook
-
To restore functionality, close Outlook, rename the value back to Manifest , and start Outlook again.