Antivirus

In the first tile, you can find the following details:

Name—if it is known, the name of the threat is shown here

Occurred—date and time of occurrence

Accessing process—shows the name of the process with its integrity level

Command Line—shows command line that the triggering process used

Username—shows the name of the user that was logged when the event happened

User Role—if available, show the role of the user that is listed in the Username

 

In the second tile, you can find the following details:

Triggering Executable—the executable that triggered the detection. By clicking the name of the executable, you are redirected to the Executable details tab

SHA-1—hash of the executable. By clicking the down arrow next to the hash, the context menu shows up, where you can use two options:

oHere you will see the preferred virus search page that you can define in the Server Settings tab. By default Virus Total search page

oCopy to clipboard—As the name says it will copy the hash to your clipboard for further use

Signature Type—information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

Signer Name—if the file is signed, here you can see the signer of the file

Seen on—the number of computers on which the file was discovered. After clicking on it, you are redirected to the Computers view, with filtered Computers list

First Seen—when an executable was first seen on any computer in a monitored network

Last Executed—when an executable was last executed on any computer in a monitored network

 

In the third tile, you can find the following details:

Reputation (LiveGrid®)—is the number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe

Popularity (LiveGrid®)—how many computers reported an executable to LiveGrid®. For a detailed description, click here

First Seen (LiveGrid®)—when an executable was first seen on any computer connected to LiveGrid®

 

In the fourth tile, you can find the following details:

Computer—shows the name of the computer, where the detection triggered. After clicking the computer name, you are redirected to Computer details

Group—the name of a group of computers where this particular computer is assigned

Last connected—permanent connection created to listen on notification about blocked hashes, requests to download some file, kill the process, etc. Refresh interval is 90 seconds

 

The process tree on the right side—The process tree reflects the parent-child relationship between processes where child processes are shown directly beneath their parent and right-indented. Processes that are left-justified are orphans, and their parent has exited. If the antivirus detection of a file wasn't run, the tree is not present.

 

Each detection includes the following details:

Detection Type

oRule—this filters Detections that were triggered based on rules

oBlocked—this shows Detections that were triggered by matching the blocked hashes listed in the Admin section

oAntivirus—this shows Detections that were triggered by ESET Endpoint Security itself, after Scan or after Real-time detection

oFirewall—this shows Detections that were triggered by ESET Endpoint Security itself, for example, if some Firewall rule was triggered

oHIPS—this shows Detections that were triggered by ESET Endpoint Security itself when HIPS protection detects intrusion

oFiltered Websites—this shows Detections that were triggered by ESET Endpoint Security itself if the website is from (PUA, Internal or Anti-Phishing) blacklist

Scanner—what type of Endpoint scanner did prevent the potential threat

Threat Type—appears only when the detection was triggered by the blocked hash or ESET Endpoint Security:

oMalware—potentially unwanted applications

oPotentially unwanted application—(PUAs) are not necessarily intended to be malicious but may affect the performance of your computer in a negative way

oHash blocked by Enterprise Inspector—as a name is saying, the file was blocked by hash, that was added in Blocked Hashes section

oSuspicious applications—include programs compressed by packers or protectors. These types of protectors are often exploited by malware authors to evade detection

Threat Name—the name of the threat, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia

Path—path to the executable that triggered the detection

URI—the URL which caused this detection to trigger

Occurred—date and time of occurrence of the process

Triggered—date and time when the detection was triggered

Threat Handled—shows whether an action was taken against this detection

Restart Needed—shows if restart is needed to resolve this detection

Action Taken—these possible actions are listed:

oCleaned—executable was cleared from harmful code

oDeleted—executable was deleted

oConnection terminated—connection was terminated before the infection could do a harm

oCleaned by deleting—executable was deleted

oWas a part of the deleted object—executable was a part of a deleted archive

oMarked for deletion—executable is inaccessible and marked for manual deletion

oBlocked—the access to the executable was blocked but executable remains

Priority—the priority of the detection. This can be changed via Priority buttons at the bottom

Severity—shows the severity of the detection.Threat Alarm_Severity_Threat Warning Alarm_Severity_Warning Info Alarm_Severity_Info

Severity Score—more precise definition of severity. 1-39 > Info Alarm_Severity_Info 40-69 > Warning Alarm_Severity_Warning 70 - 100 > Threat Alarm_Severity_Threat

Resolved—shows whether the detection is marked as Resolved Alarms_Details_Resolved. This status can be changed via Priority buttons at the bottom of the window

Note—the place where the user can put his note for this detection. You can add the note by clicking the Set note blue string on the right side of the window

Accessing Process—the name of the process (with corresponding Process ID) that triggered the detection. After clicking the name you are redirected to the Process Details

Command Line—show the name of Command Line file name

Path—path to the process that was executed by the executable that triggered the detection

Integrity Level—Represented by the arrow in process tree, the grid of Detections tab, and everywhere where the process name is present
These levels are present:

oUntrusted—Blue arrow downIntegrity_blue, blocks most write access to a majority of objects

oLow—Blue arrow downIntegrity_blue, blocks most write access to registry keys and file objects

oMedium—No icon, this is the default setting for most processes when UAC has been enabled on the system

oHigh—Red icon upIntegrity_red, most processes will have this setting if UAC is disabled and the currently logged on user is the administrator

oSystem—Red icon upIntegrity_red, this is a setting reserved for system level components

oProtected process—Red icon upIntegrity_red, is used by some anti-malware services, only allows trusted, signed code to load and has built-in defense against code injection attacks

Computer—shows the name of the computer, where the detection triggered. After clicking the computer name, you are redirected to Computer details. You can also click "View detections on this computer" located on the right side from the name of the computer and you are redirected to detections list of this particular computer

Suspicious  Executable—the executable that triggered the detection. After clicking the name you are redirected to the Executable Details

SHA-1—hash of the executable. By clicking the down arrow next to the hash, the context menu shows up, where you can use two options:

oHere you will see the preferred virus search page that you can define in the Server Settings tab. By default Virus Total search page

oCopy to clipboard—As the name says it will copy the hash to your clipboard for further useSignature Type—information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

Signature Type—information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

Signer Name—if the file is signed, here you can see the signer of the file

File Description—The full description of the file, for example, "Keyboard Driver for AT-Style Keyboards"

Seen on—the number of computers on which the file was discovered. After clicking on it, you are redirected to the Computers view, with filtered computers list

First Seen—when an executable was first seen on any computer in a monitored network

Inspected—if the executable is marked as inspected by the user

Reputation (LiveGrid®)—Is number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe

Popularity (LiveGrid®)—how many computers reported an executable to LiveGrid®. For a detailed description, click here

First Seen (LiveGrid®)—when an executable was first seen on any computer connected to LiveGrid®

Username—the name of the user/account that was logged in when the detection was raised

Full name—users full name, if available from Active Directory

Job Position—users job position, if available from Active Directory

User Department—users department, if available from Active Directory

User Description—users description, if available from Active Directory

Audit Log—here, you see actions that were taken on this detection. At the moment Resolved, Unresolved, Commented and Priority Changed

Comments—the place where the user can put his comments for this detection. You can add the comment by clicking the Add comment blue string

 

At the bottom of the page, there are several action buttons available.