ESET Online Help

Search
Select the category
Select the topic

Detection details

There are the following tiles with details about the detection:

Name—The name of the threat.

Occurred—Date and time of occurrence.

Triggering process—Shows the name of the triggering process with its integrity level.

Command Line—Shows command line that the triggering process used.

Username—Shows the name of the user that was logged when the event happened.

User Role—Show the role of the user that is listed in the Username.

Computer—Shows the name of the computer that raised the detection. After clicking the computer name, you are redirected to Computer details.

Parent Group—The name of a group of computers where this specific computer is assigned. The computer’s group can be changed in the ESET PROTECT.

Last connected—Permanent connection created to listen on notification about blocked hashes, requests to download some file, kill the process, etc. The refresh interval is 90 seconds.

 

Priority—The priority of the detection. This can be changed via Priority buttons.

SeverityShows the severity of the detection: Threat alarm_severity_threat, Warning alarm_severity_warning, Infoalarm_severity_info

Severity Score—A more precise definition of severity. 1–39 > Info alarm_severity_info 40–69 > Warning alarm_severity_warning 70–100 > Threat alarm_severity_threat

Resolved—Shows whether the detection is marked as Resolved. This can be changed via Priority buttons.

Note—You can add the note by clicking the Set note blue string on the right side of the window.

Triggering Process—The name of the process (with corresponding Process ID) that triggered the detection. After clicking the name, you are redirected to the Process details.

Command Line—Show the name of the Command line filename.

Path—Appears if detection was triggered by a blocked hash or ESET Endpoint Security.

Detection Type

Rule—Filters detections triggered based on rules.

Blocked—Shows detections triggered by matching the Blocked hashes listed in the More section.

Antivirus—Shows detections triggered by ESET Endpoint Security itself, after Scan or after Real-time detection.

Firewall—Shows detections triggered by ESET Endpoint Security itself, for example, if some Firewall rule was triggered.

HIPS—Shows detections triggered by ESET Endpoint Security itself when HIPS protection detects intrusion.

Filtered Websites—Shows detections triggered by ESET Endpoint Security itself if the website is from (PUA, Internal or Anti-Phishing) blacklist.

Threat Type

Appears only if the detection was triggered by a blocked hash or the ESET Endpoint Security:

Malware—Potentially unwanted applications

Potentially unwanted application—(PUAs) are not necessarily intended to be malicious but may affect the performance of your computer in a negative way.

Hash blocked by ESET Inspect—The file was blocked by hash, that was added in Blocked Hashes section.

Suspicious applications—Include programs compressed by packers or protectors. Malware authors often exploit these types of protectors to evade detection.

Threat Name—The name of the threat that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia

Triggering Executable

The executable that triggered the detection. After clicking the name, you are redirected to the Executable details.

SHA-1—Hash of the executable.

By clicking the gear gear_icon icon next to the hash, the context menu shows up, where you can use two options:

Open the Virus Total search page that you can define in the Settings tab.

Copy to clipboard—The hash to your clipboard for further use.

Signature Type—Information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown). If the value is Present, the executable is signed, but the ESET Inspect does not know the certificate's status. This is uncommon for Windows, but on MacOS, a signature is never verified by Endpoint, and as a result, the only possible states are Present and None.

Signer Name—If the file is signed, here you can see the signer of the file.

Seen on—The number of computers on which the file was discovered. After clicking on it, you are redirected to the Computers view, with a filtered computers list.

File Description—The full description of the file, for example, Keyboard Driver for AT-Style Keyboards.

First Seen—When an executable was first seen on any computer in a monitored network.

Reputation (LiveGrid®)—Is a number from 1 to 9, indicating how safe the file is. 1–2 Red is malicious, 3–7 Yellow is suspicious, 8–9 Green is safe.

Popularity (LiveGrid®)—How many computers reported an executable to LiveGrid®.

First Seen (LiveGrid®)—When an executable was first seen on any computer connected to LiveGrid®.

 

Popularity

On how many computers it was seen in LiveGrid®

Color

Description

0

0

red

Not seen

1

1–9

red

Low

2

10–99

yellow

Medium

3

100–999

yellow

Medium

4

1 000–9 999

yellow

Medium

5

10 000–99 999

green

High

6

100 000–999 999

green

High

7

1 000 000–9 999 999

green

High

8

10 000 000–99 999 999

green

High

9

100 000 000–999 999 999

green

High

10

1 000 000 000–9 999 999 999

green

High

11

10 000 000 000–99 999 999 999

green

High

IP Protocol—which IP Protocol was used.

Source Socket—The IP Address from which the possible attack was made.

Destination Socket—The IP Address that was the target of the possible attack.

Reporting interface—If available, MAC address of the network adapter on which we received the packet that caused the alarm.

Occurred—Shows the date and time of occurrence of the process.

Triggered—Shows the date and time when the detection was triggered.

Threat Handled—Shows whether an action was taken against this detection.

Restart Needed—Shows if the restart is needed to resolve this detection.

Action Taken

Cleaned—Executable was cleared from harmful code.

Deleted—Executable was deleted.

Connection terminated—The connection was terminated before the infection could do a harm.

Cleaned by deleting—Executable was deleted.

Was a part of the deleted object—Executable was a part of a deleted archive.

Marked for deletion—Executable is inaccessible and marked for manual deletion.

Blocked—The access to the executable was blocked, but the executable remains.


warning

Do not Block or Kill any process or executable of any Windows system processes and files. (for example, svchost.exe) Otherwise, this may cause a crash of the Operating system.

Integrity Level

Represented by the arrow in the process tree, the grid of Detections tab, and everywhere where the process name is present. These levels are present:

Untrusted—blue arrow downintegrity_blue. Blocks most write access to a majority of objects.

Low—blue arrow downintegrity_blue. Blocks most write access to registry keys and file objects.

Medium—no icon. This is the default setting for most processes when UAC has been enabled on the system.

High—red icon upintegrity_red. Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator.

System—red icon upintegrity_red. This is a setting reserved for system level components.

Protected process—red icon upintegrity_red. Is used by some anti-malware services, only allows trusted, signed code to load, and has a built-in defense against code injection attacks.

Computer

Shows the name of the computer where the detection triggered. Click the computer name, you are redirected to Computer details. You can also click View detections on this computer open the Computer detection list of this specific computer.

Username

The name of the user/account that was logged in when the detection was raised.

Full name—User's full name, if available from Active Directory.

Job Position—User's job position, if available from Active Directory.

User Department—User's department, if available from Active Directory.

User Description—User's description, if available from Active Directory.


note

To display the user details, you need to define the following parameters for user in Active Directory:

ESET Inspect parameter name

Attribute name

Full Name

cn

Job Position

title

User Department

division

User Description

description

Then run synchronization task to update user information.

Audit Log

You see actions that were taken on this detection. At the moment, Resolved, Unresolved, Commented, and Priority Changed.

Comments

Add an optional comment to recognize the detection easily.

Action buttons

You can manage the detection by using the buttons in the lower part of the screen.

Detections

Open computer—Opens Computer details of the Computer on which the detection was triggered.

Open process—If the detection was triggered by Rule, redirect to Process details of the process that caused the detection.

Open parent process—If the detection has a parent process, it redirects you to the Process details of that parent process.

Mark as resolvedMarks the detection as Resolved.

Mark as not resolvedMarks the detection as Unresolved.

Create exclusionCreate an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.

Edit ruleRedirected to the Edit Rule section if the detection was raised by a rule.

Edit user actionsEdit user actions for selected detection rule. Opens the Edit User Actions window.

PriorityMarks the detection as No priority/Priority I/Priority II/Priority III.

Add commentOptionally, you can add a comment.

Tags—Assign tag(s) to a detection from the list of existing, or create new custom tag(s).

Audit logGo to the Audit log tab.

Diagnostic information— Enable collection of additional diagnostic data for a selected rule.

oStart Collection— The next time the rule triggers an alarm, diagnostic information will be collected and prepared for download.

oDownload— Download the password-protected ZIP archive containing diagnostic data for a selected rule. The password is displayed on the download screen. After the download is finished, the collection will stop.

Incident

Create an incident report, add to currently active, or add to (last 3 incidents).

Remediation

Protect network

Block executable—Prevent the executable from running by blocking it based on the SHA-1 hash. The blocked executable will appear in the Blocked Hashes section.

Clean & block executable—Delete the executable file and add it to Blocked Hashes to prevent future occurrences.

Isolated from Network—Block all network communication on the computer, except the connection between ESET security products.

Protect computer

Kill process on this computer—Kill the running process that triggered the detection.

Scan computer for malware—Run On-demand computer scan.

Shutdown computer—Send the command to shut the computer down.

Kill process

Kill selected process on this computer.

Computer

scan—Sends the command to Endpoint to start an immediate scan of the computer.

SysInspector logGenerate the SysInspector log and review it in the computer's details (or use the Action button).

Reboot/ShutdownSends the command to reboot or shut down the computer.

IsolateIsolate the computer from the network (only connections between ESET Security products are available). If required, you can also End isolation (available only for Windows endpoints; File Security from 7.2.12003.0).

Details (Protect)—Go to the ESET PROTECT Web Console.

Executable

BlockGo to the Block Hashes tab.

Download file—The download window for the affected process appears.

Submit to ESET LiveGuard—Manually submitting file to the ESET LiveGuard analysis. This feature is available from ESET PROTECT version 10.1 or later.