Detection details
The tiles below show detection details:
•Name—The threat name.
•Occurred—Date and time of occurrence.
•Triggering process—The triggering process' name and integrity level.
•Command Line—The command line that the triggering process used.
•Username—The logged user's name when the event occurred.
•User Role—The user's role listed in the Username.
•Computer—The computer's name that raised the detection. Click the computer name to be redirected to Computer details.
•Parent Group—A computer group's name where a specific computer is assigned. You can change the computer's group in ESET PROTECT On-Prem.
•Last connected—The permanent connection, which refreshes every 90 seconds, created for listening to blocked hash notifications, requests to download a file or kill a process.
•Priority—The detection's priority, which you can change via Priority buttons.
•Severity—Shows the detection's severity: Threat , Warning or Info
•Severity Score—A precise severity definition: 1–39 > Info ; 40–69 > Warning ; 70–100 > Threat
•Resolved—An indicator that shows whether the detection is resolved, which you can change via Priority buttons.
•Note—A text field for adding notes. Click the Set note blue string on the window's right side.
•Triggering Process—The process' name, and ID, that triggered the detection. Click the name to be redirected to Process details.
•Command Line—The Command line filename.
•Path—A link that appears if a blocked hash or ESET Endpoint Security triggered a detection.
Detection Type
•Rule—Filters detections that were triggered based on rules.
•Blocked—Shows detections triggered by matching the Blocked hashes listed in the More section.
•Antivirus—Shows detections triggered by ESET Endpoint Security, after Scan or Real-time detection.
•Firewall—Shows detections triggered by ESET Endpoint Security, for example, if a Firewall rule was triggered.
•HIPS—Shows detections triggered by ESET Endpoint Security when HIPS protection detects an intrusion.
•Filtered Websites—Shows detections triggered by ESET Endpoint Security if the website is on a blacklist (PUA, Internal or anti-phishing).
Threat Type
Threat types appear if a blocked hash or ESET Endpoint Security triggered the detection:
•Malware—A potentially unwanted application
•Potentially unwanted application (PUA)—PUAs may not be malicious but can negatively affect your computer's performance.
•Hash blocked by ESET Inspect—The file was blocked by hash,which you added in Blocked Hashes section.
•Suspicious applications—Programs compressed by packers or protectors. Malware authors exploit these to evade detection.
•Threat Name—The name of the threat that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia
Triggering Executable
The executable that triggered the detection. Click the name to be redirected to Executable details.
•SHA-1—The executable's hash.
Click the gear icon next to the hash to show the context menu, where you can find two options:
•Open the Virus Total search page, which you can define in the Settings tab.
•Copy to clipboard to add the hash to your clipboard.
•Signature Type—The signature type, if signed: Trusted, Valid, None, Invalid or Unknown. The executable is signed if the value is Present, but ESET Inspect On-Prem cannot identify the certificate's status. While uncommon for Windows, on MacOS, Endpoint does not verify signatures, and the only states are Present or None.
•Signer Name—The file signer, if applicable.
•Seen on—The computers where the file was discovered. Click Seen on to be redirected to the Computers view, where you can find a filtered list.
•File Description—The file's full description.
•First Seen—When an executable was first seen on any computer in a monitored network.
•Reputation (LiveGrid®)—A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe.
•Popularity (LiveGrid®)—How many computers reported an executable to LiveGrid®.
•First Seen (LiveGrid®)—When an executable was first seen on any computer connected to LiveGrid®.
Popularity |
No. computers affected in LiveGrid® |
Color |
Description |
---|---|---|---|
0 |
0 |
Red |
Not seen |
1 |
1–9 |
Red |
Low |
2 |
10–99 |
Yellow |
Medium |
3 |
100–999 |
Yellow |
Medium |
4 |
1 000–9 999 |
Yellow |
Medium |
5 |
10 000–99 999 |
Green |
High |
6 |
100 000–999 999 |
Green |
High |
7 |
1 000 000–9 999 999 |
Green |
High |
8 |
10 000 000–99 999 999 |
Green |
High |
9 |
100 000 000–999 999 999 |
Green |
High |
10 |
1 000 000 000–9 999 999 999 |
Green |
High |
11 |
10 000 000 000–99 999 999 999 |
Green |
High |
•IP Protocol—The IP Protocol used.
•Source Socket—The IP Address where the possible attack originated.
•Destination Socket—The IP Address that was the target of the possible attack.
•Reporting interface—If available, the network adapter's MAC address that received the packet causing the alarm.
•Occurred—The date and time of the process' occurrence.
•Triggered—The date and time when the detection was triggered.
•Threat Handled—Shows if action was taken against the detection.
•Restart Needed—Shows if a restart is needed to resolve the detection.
Action Taken
•Cleaned—Executable was cleared from harmful code.
•Deleted—Executable was deleted.
•Connection terminated—The connection was terminated before the infection could do harm.
•Cleaned by deleting—Executable was deleted.
•Was a part of the deleted object—Executable was a part of a deleted archive.
•Marked for deletion—Executable is inaccessible and marked for manual deletion.
•Blocked—Access was blocked, but the executable remains.
Do not Block or Kill any Windows system processes or executables, such as svchost.exe. This may cause an operating system crash. |
Integrity Level
Represented by the arrow in the process tree, the Detections tab grid, and wherever the process name is present. The integrity levels are:
•Untrusted—Blue arrow down. Blocks most write access to a majority of objects.
•Low—Blue arrow down. Blocks most write access to registry keys and file objects.
•Medium—No icon. This is the default setting for most processes when UAC is enabled.
•High—Red arrow up. Most processes will have this setting if UAC is disabled and the administrator is the user currently logged in.
•System—Red arrow up. This setting is reserved for system-level components.
•Protected process—Red arrow up. Some antimalware services use this to load trusted, signed code, and includes a built-in defense against code injection attacks.
Computer
Shows the computer's name where the detection triggered. Click the computer name to find Computer details. Click View detections on this computer to open the specific computer’s detection list.
Username
Shows the user or account name logged in when the detection was triggered. The following details are pulled from the Active Directory:
•Full name
•Job Position
•User Department
•User Description
To display user details, you must define the following parameters in the Active Directory:
Then, run a synchronization task to update. |
Audit Log
Displays detection actions: Resolved, Unresolved, Commented and Priority Changed.
Comments
Adds a comment.
Action buttons
You can manage the detection with the buttons in the lower part of the screen.
Detections
•Open computer—Open the Computer details for the Computer that triggered the detection.
•Open process—If a Rule triggers the detection, open the Process details.
•Open parent process—If the detection has a parent process, open the parent Process details.
•Mark as resolved—Mark the detection as Resolved.
•Mark as not resolved—Mark the detection as Unresolved.
•Create exclusion—Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.
•Edit rule—Redirects you to the Edit Rule section if a rule raised the detection.
•Edit user actions—Opens the Edit User Actions window and shows edit user actions for the selected detection rule.
•Priority—Mark the detection as No priority/Priority I/Priority II/Priority III.
•Add comment—Add a comment.
•Tags—Assign detection tags from the existing list or create custom tags.
•Audit log—Go to the Audit log tab.
•Diagnostic information—Enable additional diagnostic data collection for a selected rule.
oStart Collection—The next time the rule triggers, diagnostic information will be collected and ready for download.
oDownload—Download the password-protected ZIP archive with diagnostic data. The password is shown on the download screen. Collection stops after the download.
Incident
oCreate an incident report
oAdd to a current incident
oAdd to recent incident, which shows the last three incidents
oSelect incident to add to
Remediation
•Protect network:
oBlock executable—Prevent the executable from running by blocking it based on the SHA-1 hash. The blocked executable will appear in the Blocked Hashes section.
oClean & block executable—Delete the executable and adds it to Blocked Hashes to prevent future occurrences.
oIsolated from Network—Block all network communication on the computer, except between ESET security products.
•Protect computer:
oKill process on this computer—Kill the running process that triggered the detection.
oScan computer for malware—Run On-demand computer scan.
oShutdown computer—Shut the computer down.
Kill process
Kill selected process on this computer.
Computer
•Scan—Send the command to Endpoint to start an immediate scan of the computer.
•SysInspector log—Generate the SysInspector log, which you can review in the computer's details.
•Reboot/Shutdown—Send a command to restart or shut down the computer.
•Isolate—Isolate the computer from the network (only connections between ESET Security products are available). You can also End isolation (available only for Windows endpoints; File Security from 7.2.12003.0).
•Details (Protect)—Go to the ESET PROTECT Web Console.
Executable
•Block—Go to the Block Hashes tab.
•Download file—The affected process' download window appears.
•Submit to ESET LiveGuard—Manually submit a file for ESET LiveGuard analysis, available in ESET PROTECT On-Prem version 10.1 or later.