ESET Online Help

Search
Select the category
Select the topic

Detection details

The tiles below show detection details:

Name—The threat name.

Occurred—Date and time of occurrence.

Triggering process—The triggering process' name and integrity level.

Command Line—The command line that the triggering process used.

Username—The logged user's name when the event occurred.

User Role—The user's role listed in the Username.

Computer—The computer's name that raised the detection. Click the computer name to be redirected to Computer details.

Parent Group—A computer group's name where a specific computer is assigned. You can change the computer's group in ESET PROTECT On-Prem.

Last connected—The permanent connection, which refreshes every 90 seconds, created for listening to blocked hash notifications, requests to download a file or kill a process.

 

Priority—The detection's priority, which you can change via Priority buttons.

SeverityShows the detection's severity: Threat alarm_severity_threat, Warning alarm_severity_warning or Infoalarm_severity_info

Severity Score—A precise severity definition: 1–39 > Info alarm_severity_info ; 40–69 > Warning alarm_severity_warning ; 70–100 > Threat alarm_severity_threat

Resolved—An indicator that shows whether the detection is resolved, which you can change via Priority buttons.

Note—A text field for adding notes. Click the Set note blue string on the window's right side.

Triggering Process—The process' name, and ID, that triggered the detection. Click the name to be redirected to Process details.

Command Line—The Command line filename.

Path—A link that appears if a blocked hash or ESET Endpoint Security triggered a detection.

Detection Type

Rule—Filters detections that were triggered based on rules.

Blocked—Shows detections triggered by matching the Blocked hashes listed in the More section.

Antivirus—Shows detections triggered by ESET Endpoint Security, after Scan or Real-time detection.

Firewall—Shows detections triggered by ESET Endpoint Security, for example, if a Firewall rule was triggered.

HIPS—Shows detections triggered by ESET Endpoint Security when HIPS protection detects an intrusion.

Filtered Websites—Shows detections triggered by ESET Endpoint Security if the website is on a blacklist (PUA, Internal or anti-phishing).

Threat Type

Threat types appear if a blocked hash or ESET Endpoint Security triggered the detection:

Malware—A potentially unwanted application

Potentially unwanted application (PUA)—PUAs may not be malicious but can negatively affect your computer's performance.

Hash blocked by ESET Inspect—The file was blocked by hash,which you added in Blocked Hashes section.

Suspicious applications—Programs compressed by packers or protectors. Malware authors exploit these to evade detection.

Threat Name—The name of the threat that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia

Triggering Executable

The executable that triggered the detection. Click the name to be redirected to Executable details.

SHA-1—The executable's hash.

Click the gear gear_icon icon next to the hash to show the context menu, where you can find two options:

Open the Virus Total search page, which you can define in the Settings tab.

Copy to clipboard to add the hash to your clipboard.

Signature Type—The signature type, if signed: Trusted, Valid, None, Invalid or Unknown. The executable is signed if the value is Present, but ESET Inspect cannot identify the certificate's status. While uncommon for Windows, on MacOS, Endpoint does not verify signatures, and the only states are Present or None.

Signer Name—The file signer, if applicable.

Seen on—The computers where the file was discovered. Click Seen on to be redirected to the Computers view, where you can find a filtered list.

File Description—The file's full description.

First Seen—When an executable was first seen on any computer in a monitored network.

Reputation (LiveGrid®)—A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe.

Popularity (LiveGrid®)—How many computers reported an executable to LiveGrid®.

First Seen (LiveGrid®)—When an executable was first seen on any computer connected to LiveGrid®.

 

Popularity

No. computers affected in LiveGrid®

Color

Description

0

0

Red

Not seen

1

1–9

Red

Low

2

10–99

Yellow

Medium

3

100–999

Yellow

Medium

4

1 000–9 999

Yellow

Medium

5

10 000–99 999

Green

High

6

100 000–999 999

Green

High

7

1 000 000–9 999 999

Green

High

8

10 000 000–99 999 999

Green

High

9

100 000 000–999 999 999

Green

High

10

1 000 000 000–9 999 999 999

Green

High

11

10 000 000 000–99 999 999 999

Green

High

IP Protocol—The IP Protocol used.

Source Socket—The IP Address where the possible attack originated.

Destination Socket—The IP Address that was the target of the possible attack.

Reporting interface—If available, the network adapter's MAC address that received the packet causing the alarm.

Occurred—The date and time of the process' occurrence.

Triggered—The date and time when the detection was triggered.

Threat Handled—Shows if action was taken against the detection.

Restart Needed—Shows if a restart is needed to resolve the detection.

Action Taken

Cleaned—Executable was cleared from harmful code.

Deleted—Executable was deleted.

Connection terminated—The connection was terminated before the infection could do harm.

Cleaned by deleting—Executable was deleted.

Was a part of the deleted object—Executable was a part of a deleted archive.

Marked for deletion—Executable is inaccessible and marked for manual deletion.

Blocked—Access was blocked, but the executable remains.


warning

Do not Block or Kill any Windows system processes or executables, such as svchost.exe. This may cause an operating system crash.

Integrity Level

Represented by the arrow in the process tree, the Detections tab grid, and wherever the process name is present. The integrity levels are:

Untrusted—Blue arrow downintegrity_blue. Blocks most write access to a majority of objects.

Low—Blue arrow downintegrity_blue. Blocks most write access to registry keys and file objects.

Medium—No icon. This is the default setting for most processes when UAC is enabled.

High—Red arrow upintegrity_red. Most processes will have this setting if UAC is disabled and the administrator is the user currently logged in.

System—Red arrow upintegrity_red. This setting is reserved for system-level components.

Protected process—Red arrow upintegrity_red. Some antimalware services use this to load trusted, signed code, and includes a built-in defense against code injection attacks.

Computer

Shows the computer's name where the detection triggered. Click the computer name to find Computer details. Click View detections on this computer to open the specific computer’s detection list.

Username

Shows the user or account name logged in when the detection was triggered. The following details are pulled from the Active Directory:

Full name

Job Position

User Department

User Description


note

To display user details, you must define the following parameters in the Active Directory:

ESET Inspect parameter name

Attribute name

Full Name

cn

Job Position

title

User Department

division

User Description

description

Then, run a synchronization task to update.

Audit Log

Displays detection actions: Resolved, Unresolved, Commented and Priority Changed.

Comments

Adds a comment.

Action buttons

You can manage the detection with the buttons in the lower part of the screen.

Detections

Open computer—Open the Computer details for the Computer that triggered the detection.

Open process—If a Rule triggers the detection, open the Process details.

Open parent process—If the detection has a parent process, open the parent Process details.

Mark as resolvedMark the detection as Resolved.

Mark as not resolvedMark the detection as Unresolved.

Create exclusionCreate an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.

Edit ruleRedirects you to the Edit Rule section if a rule raised the detection.

Edit user actionsOpens the Edit User Actions window and shows edit user actions for the selected detection rule.

PriorityMark the detection as No priority/Priority I/Priority II/Priority III.

Add commentAdd a comment.

Tags—Assign detection tags from the existing list or create custom tags.

Audit logGo to the Audit log tab.

Diagnostic information—Enable additional diagnostic data collection for a selected rule.

oStart Collection—The next time the rule triggers, diagnostic information will be collected and ready for download.

oDownload—Download the password-protected ZIP archive with diagnostic data. The password is shown on the download screen. Collection stops after the download.

Incident

oCreate an incident report

oAdd to a current incident

oAdd to recent incident, which shows the last three incidents

oSelect incident to add to

Remediation

Protect network:

oBlock executable—Prevent the executable from running by blocking it based on the SHA-1 hash. The blocked executable will appear in the Blocked Hashes section.

oClean & block executable—Delete the executable and adds it to Blocked Hashes to prevent future occurrences.

oIsolated from Network—Block all network communication on the computer, except between ESET security products.

Protect computer:

oKill process on this computer—Kill the running process that triggered the detection.

oScan computer for malware—Run On-demand computer scan.

oShutdown computer—Shut the computer down.

Kill process

Kill selected process on this computer.

Computer

Scan—Send the command to Endpoint to start an immediate scan of the computer.

SysInspector logGenerate the SysInspector log, which you can review in the computer's details.

Reboot/ShutdownSend a command to restart or shut down the computer.

IsolateIsolate the computer from the network (only connections between ESET Security products are available). You can also End isolation (available only for Windows endpoints; File Security from 7.2.12003.0).

Details (Protect)—Go to the ESET PROTECT On-Prem Web Console.

Executable

BlockGo to the Block Hashes tab.

Download file—The affected process' download window appears.

Submit to ESET LiveGuard—Manually submit a file for ESET LiveGuard analysis, available in ESET PROTECT On-Prem version 10.1 or later.