ESET Online Help

Search English
Select the category
Select the topic


The Detections section gives you an overview of detections found on managed devices.

Group structure is displayed on the left. You can browse groups and view detections found on members of a given group. To view all detections found on clients assigned to groups for your account, select the All group and remove any applied filters.


See the ESET Glossary for more details about ESET technologies and the types of detections/attacks they protect against.

Detection status

There are two types of detections based on their status:

Active detections - Active detections are detections that have not been cleaned yet. To clean the detection, run an In-Depth Scan with cleaning enabled on the folder that contains the detection. The scan task must finish successfully to clean the detection and have no more detections. If a user does not resolve an active detection within 24 hours from its discovery, it loses the Active status but it stays unresolved.

Resolved detections - These are detections that have been marked by a user as resolved, however they have not yet been scanned using In-Depth Scan. Devices with detections marked as resolved will still be displayed in the filtered results list until scanning is performed.


A Detection handled status indicates whether an ESET security product took action against a detection (depending on detection type and cleaning level settings):

Yes - The ESET security product took action against the detection (delete, clean, or quarantine).

No - The ESET security product did not take action against the detection.

You can use Detection handled as a filter in Reports, Notifications, and Dynamic Group Templates.



Not all detections found on client devices are moved to quarantine. Detections that are not quarantined include:

Detections that cannot be deleted

Detections that are suspicious based on their behavior, but are not identified as malware, for example, PUAs


During database cleanup, items in Detections corresponding to the cleaned Incident logs are deleted as well (regardless of detection status). By default, the cleanup period for Incident logs (and Detections) is set to 6 months. You can change the interval in More > Settings.

Aggregation of detections

Detections are aggregated by time and other criteria to simplify their resolution. If the same detection occurs repeatedly, the Web Console will display it in a single line to make its resolution easier. Detections older than 24 hours are aggregated automatically every midnight. You can identify aggregated detections by the X/Y (resolved items/total items) value in the Resolved column. You can see the list of aggregated detections in the Occurrences tab in detection details.

Detections in archives

If one or more detections are found in an archive, the archive and each detection inside the archive are reported in Detections.


Excluding an archive file that contains a detection does not exclude the detection. You must exclude the individual detections inside the archive. The maximum file size for files contained in archives is 3 GB.

The excluded detections will not be detected anymore, even if they occur in another archive or are unarchived.

Filtering detections

By default, all detection types from the last seven days are shown, including detections that have been successfully cleaned. You can filter the detections by several criteria: Computer Muted and Occurred are enabled by default.


Some filters are enabled by default. If detections are indicated on the Detections button in the main menu, but you cannot see them in the list of detections, check to see which filters are enabled.

For a more specific view, you can add other filters, such as:

Detection Category - icon_antivirusAntivirus, icon_blocked Blocked files, icon_ei_alert ESET Inspect, icon_firewall Firewall, icon_hips HIPS, and icon_web_protection Web protection.

Detection Type

IP Address of the client that reported the detection

Scanner—Select the scanner type that reported the detection. For example, the Anti-Ransomware scanner shows the detections reported by the Ransomware Shield.

Action—Select the action performed on the detection. ESET security products report the following actions to ESET PROTECT:

ocleaned—The detection was cleaned.

odeleted/cleaned by deleting—The detection was deleted.

owas a part of a deleted object—An archive that contained the detection was deleted.

oblocked/connection terminated—The access to the detected object was blocked.

oretained—No action was performed due to various reasons, for example:

In the interactive alert, the user manually selected not to perform any action.

In the ESET security product detection engine settings, the Protection level for the detection category is set lower than the Reporting level.

Filters and layout customization

You can customize the current Web Console screen view:

Manage the side panel and main table.

Add filters and filter presets. You can use tags for filtering the displayed items.