Malware Outbreak Alert. Steps?

[CMS 8]

Hi folks,

I received a "Malware Outbreak Alert" email, which is triggered when > 5% of machines have an active threat. I checked the "Computers with active threats" dynamic group, and it has 5.5% of our total PCs there, so it must have just tipped over, rather than being an actual mass outbreak.

I have rung ESET support, but got a somewhat wishy-washy response about what to do, which was essentially taken from what I was going to do anyway, listed below.

The steps I thought to follow were as below:

1.    Open the ESMC console
2.    Go to Computers > Computers with active threats (Dynamic group)
3.    Look at the list of computers, and look at each computer in detail (left click computer, select “Show Details”)
4.    When looking at the computer details, look at the Threats & Quarantines section. Is anything listed there?
5.    Worst case, it might be necessary to go the ESET client on the PC itself and look at those same sections to see what is shown.

Firstly, does this sound like the right approach?

Secondly, I have some computers in the "Computers with active threats" dynamic group that don't have any threats - the threat column has "0" in it, and nothing shows when I look at the detail. Anyone know why they are showing in this group?

Thanks

[Marcos 5,074]

If I were an administrator, even one computer with active threats would be of concern since it might infect other machines. Please check the Cause column in the Threat panel if it's the same threat detected on all machines.

You can post a screen shot of some unresolved threats where the columns "Object", "Process name", "Cause", "Circumstances", "Scanner", "Action", "Action details", "Occurred" are visible. It should give us a clue as to why the threats were not cleaned.

[CMS 8]

I had a look at all the machines with threats, and they were all false positives due to what it thought were problem applications in a driver install package. So I've marked them as resolved.

I've gone back to the "Computers with active threats" group and looked through all the machines via their details. Not sure what you mean by "Cause column in the Threat panel", how do I get to that? All I can see in details, under Threats and Quarantine, is that some but not all PCs have a quarantined item. None of them have active alerts. Is the quarantined item classified as an active threat?

[Marcos 5,074]

I mean this:

Even if it was a false positive, please provide more details, especially the detection name and the path where it was detected.

[CMS 8]

Thanks. So a mix of things, mostly unsafe applications e.g. Win32/Bundled.Toolbar.Google.D, but in some of these cases at least the threat has been "cleaned by deletion" and everything in this list is marked as resolved.

I'm not sure why all these items are still showing in "active threats".

[Marcos 5,074]

It is weird because potentially unsafe and unwanted detections are handled automatically on clients in managed environments. Were they actually relatively fresh detections from this year?

[CMS 8]

Yes, from Feb and Jan. The filter had been set to a time range, so I've removed that and see threats going back for many months. These are all previous though and have been resolved.

I suspect there must have been a filter on the group to hide resolved threats, which I may have removed. If I add back a "threat resolved" filter then the "Computers with active threats" group is now empty.