Threats

The Threats section gives you an overview of threats found on devices managed by your account. Group structure is displayed on the left.

You can browse groups and view threats detected on members of a given group. To view all threats found on clients assigned to groups for your account, select the All group and use the All threats types filter. Click a specific threat to view a context menu for the device containing that threat.

validation-status-icon-warning IMPORTANT

During database cleanup, items in Threats corresponding to the cleaned Incident logs are deleted as well (regardless of threat status). By default, the cleanup period for Incident logs (and Threats) is set to 6 months. You can change the interval in Server Settings.

Threat types

Active threats - Active threats are threats that have not been cleaned yet. To clean the threat, run an In-Depth Scan with cleaning enabled on the folder that contains the threat. The scan task must finish successfully to clean the threat (no more detections). If a user does not resolve an active threat within 24 hours from its detection, it loses the Active status, but it stays unresolved.

Resolved threats - These are threats that have been marked by a user as resolved, however they have not yet been scanned using In-Depth Scan. Devices with threats marked as resolved will still be displayed in the filtered until scanning is performed.

threats_details

Filtering threats

By default, all threat types from the last seven days are shown, including threats that have been successfully cleaned. You can filter the threats by several criteria: Computer Muted and Threat Resolved are visible by default. For a more specific view, you can add other filters, such as Threat Category (Antivirus, Blocked files, Enterprise Inspector, Firewall and HIPS), Threat Type, the IP Address of the client that reported the threat or the name of the Scan.

Add filter and filter presets

To add filtering criteria, click Add filter and select item(s) from the list. Enter the search string(s) into the filter field(s). Active filters are highlighted in blue.

Filters can be saved to your user profile so that you can use them again in the future. Under Presets the following options are available:

Filter sets - your saved filters, click one to apply it. The applied filter is denoted with a apply_default check mark. Select Include visible columns, sorting and paging to save these parameters to the preset.

add_new_defaultSave filter set - Save your current filter configuration as a new preset. Once the preset is saved, you can not edit the filter configuration in the preset.

edit_defaultManage filter sets - Remove or rename existing presets. Click Save to apply the changes to presets.

Clear filter values - Click to remove only the current values from the selected filters. Saved presets will remain unchanged.

Remove filters - Click to remove the selected filters. Saved presets will remain unchanged.

Remove unused filters - Remove filter fields with no value.

details_hoverNOTE

Some filters are enabled by default. If threats are indicated on the left menu button but you cannot see them in the list of threats, check to see which filters are enabled.

Ransomware Shield

ESET business products (version 7 and later) include Ransomware Shield. This new security feature is a part of HIPS and protects computers from ransomware. When ransomware is detected on a client computer, you can view the detection details in ESMC Web Console in Threats. For more information about Ransomware Shield, see the ESET Endpoint Security online help.

You can remotely configure Ransomware Shield from the ESMC Web Console using the Policy settings for your ESET business product:

Enable Ransomware Shield - ESET business product automatically blocks all the suspicious applications that behave like ransomware.

Enable Audit Mode - When you enable the Audit Mode, potential threats detected by the Ransomware Shield are not blocked and are reported in ESMC Web Console. The administrator can decide to block the potential detected threat or exclude it by selecting Add Exclusion to Policy. This Policy setting is available only via ESMC Web Console.

validation-status-icon-warning IMPORTANT

By default, Ransomware Shield blocks all applications with potential ransomware behavior, including legitimate applications. We recommend that you Enable Audit Mode for a short period on a new managed computer, so that you can exclude legitimate applications that are detected as ransomware based on their behavior (false positives). We do not recommend that you use the Audit Mode permanently, because ransomware on the managed computers is not automatically blocked when Audit Mode is enabled.

Scan computers - Using this option will run the On Demand Scan task on the device that reported the selected threat.

Mark As Resolved / Mark As Not Resolved - Threats can now be marked as resolved in the threats section or under details for a specific client.

Expand Actions to perform the current actions:

play_default Run Task - Run an existing task and create a trigger to complete the task.

scan_default Scan Path - This action will open the task and pre-define the paths and targets. This is only available for threats with known paths.

Add Exclusion To Policy - Select an existing endpoint policy to which you want to add an exclusion for the threat. It will be excluded from future scans. You can exclude the threat based on the following criteria:

oUse Threat Name - Exclusion is defined based on the detected threat name (malware family).

oUse URI - Exclusion is defined by the path to the file, e.g. file:///C:/Users/user/AppData/Local/Temp/34e1824e/ggdsfdgfd.pdf.exe

oUse Hash - Exclusion is defined by the Hash of the detected file.

You can find threat details (threat name, URI, and hash) when you click the threat and select Show Details.

validation-status-icon-error WARNING

Use exclusions with caution - they may result in an infected computer.

details_hoverNOTE

Not all threats found on client devices are moved to quarantine. Threats that are not quarantined include:

Threats that cannot be deleted.

Threats that are suspicious based on their behavior, but are not detected as malware, for example, PUAs.

Threat details

To learn more about a threat, click the threat in a Static or Dynamic Group and then click Show Details. Only threats found during a scan will displayed information about that scan. Click Same Scan Threats to view a filtered list of threats found during the same scan as the threat selected. If the threat is a file, click Send File to EDTD in Threat Details to create a Client Task that sends the file to ESET Dynamic Threat Defense for analysis.

Computers

Click a threat. In the drop down menu the Computers sub-menu offers you a list of actions that you can perform on the computer where the threat was found. This list is the same as the one in the Computers section.

Table columns

Click the gear icon gear_icon in the upper right corner, select Edit columns and select the columns you want to add to table. Various columns are available, select them using check box.