Detections

The Detections section gives you an overview of detections found on devices managed by your account. Group structure is displayed on the left.

You can browse groups and view detections found on members of a given group. To view all detections found on clients assigned to groups for your account, select the All group and remove any applied filters.

Detections types

Active detections - Active detections are threats that have not been cleaned yet. They can be cleaned by running an In-Depth Scan with cleaning enabled on the target machine.

Resolved threats - These are threats that have been marked by a user as resolved, however they have not yet been scanned using In-Depth Scan. Devices with threats marked as resolved will still be displayed in the filtered until scanning is performed.

Threats_details

Detection status

There are two types of detections based on their status:

Active detections - Active detections are detections that have not been cleaned yet. To clean the detection, run an In-Depth Scan with cleaning enabled on the folder that contains the detection. The scan task must finish successfully to clean the detection and have no more detections. If a user does not resolve an active detection within 24 hours from its discovery, it loses the Active status but it stays unresolved.

Resolved detections - These are detections that have been marked by a user as resolved, however they have not yet been scanned using In-Depth Scan. Devices with detections marked as resolved will still be displayed in the filtered results list until scanning is performed.

Aggregation of detections

In ECA, detections are aggregated by time and other criteria to simplify their resolution. Aggregation is performed automatically after 24 hours. You can identify aggregated detections by the X/Y (resolved items/total items) value in the Resolved column. You can see the list of aggregated detections in the Occurrences tab in detection details.

Filtering detections

By default, all detection types from the last seven days are shown, including detections that have been successfully cleaned. You can filter the detections by several criteria: Computer Muted and Occurred are visible by default. For a more specific view, you can add other filters, such as Detection Category (icon_antivirusAntivirus, icon_firewall Firewall, icon_hips HIPS, and icon_web_protection Web protection), Detection Type, the IP Address of the client that reported the detection or the name of the Scan. For information on ransomware detection, see the Ransomware Shield chapter.

Filters and layout customization

You can customize the current Web Console screen view:

Manage the side panel and main table.

Add filters and filter presets. You can use tags for filtering the displayed items.

Managing detections

To manage detections, click the item and select one of the available actions, or select the check box next to one or more items and use the buttons in the lower part of the Detections screen:

Scan computers - Run the On-Demand Scan Task on the device that reported the selected detection.

details_default Show Details - See Detection details.

Computers - A list of actions you can perform on the computer where the detection was found. This list is the same as the one in the Computers section.

icon_resolved Mark As Resolved / icon_not_resolved Mark As Not Resolved - You can mark detections as resolved/not resolved here or in Computer details.

play_default Run Task - Run an existing task and create a trigger to complete the task.

The following actions are available only for icon_antivirusAntivirus detections (files with known paths):

scan_default Scan Path - Create the On-Demand Scan Task with pre-defined paths and targets.

icon_create_exclusion Create Exclusion - Create detection exclusions.