Detections

The Detections section gives you an overview of detections found on managed devices.

Group structure is displayed on the left. You can browse groups and view detections found on members of a given group. To view all detections found on clients assigned to groups for your account, select the All group and remove any applied filters.

Detection status

There are two types of detections based on their status:

Active detections - Active detections are detections that have not been cleaned yet. To clean the detection, run an In-Depth Scan with cleaning enabled on the folder that contains the detection. The scan task must finish successfully to clean the detection and have no more detections. If a user does not resolve an active detection within 24 hours from its discovery, it loses the Active status but it stays unresolved.

Resolved detections - These are detections that have been marked by a user as resolved, however they have not yet been scanned using In-Depth Scan. Devices with detections marked as resolved will still be displayed in the filtered results list until scanning is performed.

 

note

Note

Not all detections found on client devices are moved to quarantine. Detections that are not quarantined include:

Detections that cannot be deleted.

Detections that are suspicious based on their behavior, but are not identified as malware, for example, PUAs.

important

Important

During database cleanup, items in Detections corresponding to the cleaned Incident logs are deleted as well (regardless of detection status). By default, the cleanup period for Incident logs (and Detections) is set to 6 months. You can change the interval in Server Settings.

Aggregation of detections

Detections are aggregated by time and other criteria to simplify their resolution. Detections older than 24 hours are aggregated automatically every midnight. You can identify aggregated detections by the X/Y (resolved items/total items) value in the Resolved column. You can see the list of aggregated detections in the Occurrences tab in detection details.

Detections in archives

If one or more detections are found in an archive, the archive and each detection inside the archive are reported in Detections.

warning

Warning

Excluding the archive file that contains detections does not have any effect anymore. You need to exclude the individual detections inside the archive.

The excluded detections will not be detected anymore, even if they occur in another archive or unarchived.

Filtering detections

By default, all detection types from the last seven days are shown, including detections that have been successfully cleaned. You can filter the detections by several criteria: Computer Muted and Occurred are enabled by default.

note

Note

Some filters are enabled by default. If detections are indicated on the Detections button in the main menu, but you cannot see them in the list of detections, check to see which filters are enabled.

For a more specific view, you can add other filters, such as:

Detection Category - icon_antivirusAntivirus, icon_blocked Blocked files, icon_ei_alert Enterprise Inspector, icon_firewall Firewall, icon_hips HIPS, and icon_web_protection Web protection.

Detection Type

IP Address of the client that reported the detection

Scanner - Select the scanner type that reported the detection. For example, the Anti-Ransomware scanner shows the detections reported by the Ransomware Shield.

Action - Select the action performed on the detection. ESET security products report the following actions to ESMC:

ocleaned - The detection was cleaned.

odeleted / cleaned by deleting - The detection was deleted.

owas a part of a deleted object - An archive that contained the detection was deleted.

oblocked / connection terminated - The access to the detected object was blocked.

oretained - No action was performed due to various reasons, for example:

In the interactive alert, the user manually selected not to perform any action.

In the ESET security product detection engine settings, the Protection level for the detection category is set lower than the Reporting level.

Filters and layout customization

You can customize the current Web Console screen view:

Manage the side panel and main table.

Add filters and filter presets. You can use tags for filtering the displayed items.