Jump to content
Bill Lyons

Questions about Unhandled Threats & Resolved Threats

Recommended Posts

Hello!

Please bare with me as this is my first post on these forums.

I have some questions about ESMC v7 and its displaying of Unhandled Threats and dealing with "Resolved" threats.

 

So for the Unhandled Threats I have setup a Dynamic Group thats using the following experssion:

 

 
Active threats . Threat handled = no (I also attached a screenshot as well)
 
This should the way I understand it show any Threats that are outstanding that have not had any "action" done to them correct? By action I mean clean, delete, block etc...
 
The reason I ask this is that I see that if I look at my threats tab I have several more devices listed there with threats that have no Action done to them and are unresolved that do not show up in my Unhandled Threats group.
 
 
As for the "Resolved" Threats question - I read that in v7 it should be possible to have the system auto resolve and clear out the threat listing by performing a scan? Is this correct? If so what type of scans qualify for this? Has anyone successfully automated this to clear out the low hanging fruit leaving only the issues that need actual attention left in the Threats tab?
 
Any advise you guys and gals can provide would be greatly appreciated.
 
 

ESETDynamicGroupExpression.PNG

Share this post


Link to post
Share on other sites

I'd start off by asking you about what active / unhandled threats you have. The thing is that in a managed environment the security product handles even pot. unsafe or unwanted applications as though in strict cleaning mode, ie. fully automatically.

Share this post


Link to post
Share on other sites

Marcos,

 

Here are a few of them:

 

Type:  (no type given)  Cause: Suspicious       Object: file:///C:/Windows/system32/en-US/IEFRAME.dll.mui

Type: trojan                 Cause: HTML/ScrInject.B           Object: file:///C:/Documents and Settings/[USERNAME REMOVED]/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/MFSTZ8NF/7b973e50[1]

Type: potentially unwanted application   Cause: OSX/CleanMyMac.A     Object: file:///G:/$RECYCLE.BIN/S-1-5-21-2973374289-3595491005-59360181-23882/$RFW5CJ5.dmg/4.hfs

Share this post


Link to post
Share on other sites

Hi guys,

I'm going to take advantage of this open topic to throw my question. Is there a way to avoid ESET to mark a threat as resolved even when it blocked, deleted or cleaned the infection? How can I distingish threats marked as resolved by ESET from threats marked as resolved by Administrator?

I'm asking you this because as SOC personnel sometimes we need to do further investigation on a particular event even when it was already taken care by ESET itself, we have found diffilculties to track our progress on the Console Threat section cause the filters available let you have a view on resolved vs unresolved threats but do not differentiate between the ones marked as resolved by ESET and the ones marked as resolved by a person.

Hope I'm making myself clear.

Thanks in advance,  

Share this post


Link to post
Share on other sites

@CCross

I would try to respond to your question:

  1. No, the "auto resolving" applies currently only for detections reported by "antivirus" module. Detections by firewall / hips / and other modules needs to resolved manually. We are tracking improvement for it (internal reference "IDEA-872")
  2. It´s not currently possible to track ones that were "resolved automatically" and "resolved manually". Such functionality is currently available only inside our EDR product, Enterprise Inspector. We are as well tracking improvements for both adding the field about who did it (P_ESMC-13329), and also more complex incident workflow management. (IDEA-663)

Regards,

Michal 

Share this post


Link to post
Share on other sites

@Bill Lyons

As of now, there are still two "mixed" concepts in ESMC. And that´s Resolved/Unresolved threats, and "Active" threats.

I would recommend to not use the "active threats" for the dynamic group creation, as that works only for the AV related detection type, therefore the "count" of computers in that group would not match up (would be smaller as other detection techniques are not counted as "matching criterion".  

The count of "unresolved" detections column in "computers" pane should reflect the filtered view of "threats" pane for a particular computer. You can verify by going to "computer details", where there is a tab called "Threats". 

Only threats reported by "Antivirus" are being "marked as resolved" automatically, the other ones, regardless if they were blocked or not, are not automatically resolved. As stated in the post above, this is something to be eventually changed, but intention of "showing them" is that they might indicate some problem, that should be checked by the security staff. 

resolving of threats on a computer by running a scan (that covers path of that particular threat) works only for AV detection type reported threats. To clear content of the "active threats" DG, you have to execute an in-depth scan, with strict cleaning enabled, covering "all disks". 

Share this post


Link to post
Share on other sites

MichalJ,

 

Thank you for updating this with that insight. Ill take this back and run this down with my client. Ill post back later with any follow ups.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...