Bill Lyons 0 Posted October 10, 2019 Share Posted October 10, 2019 Hello! Please bare with me as this is my first post on these forums. I have some questions about ESMC v7 and its displaying of Unhandled Threats and dealing with "Resolved" threats. So for the Unhandled Threats I have setup a Dynamic Group thats using the following experssion: Active threats . Threat handled = no (I also attached a screenshot as well) This should the way I understand it show any Threats that are outstanding that have not had any "action" done to them correct? By action I mean clean, delete, block etc... The reason I ask this is that I see that if I look at my threats tab I have several more devices listed there with threats that have no Action done to them and are unresolved that do not show up in my Unhandled Threats group. As for the "Resolved" Threats question - I read that in v7 it should be possible to have the system auto resolve and clear out the threat listing by performing a scan? Is this correct? If so what type of scans qualify for this? Has anyone successfully automated this to clear out the low hanging fruit leaving only the issues that need actual attention left in the Threats tab? Any advise you guys and gals can provide would be greatly appreciated. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted October 10, 2019 Administrators Share Posted October 10, 2019 I'd start off by asking you about what active / unhandled threats you have. The thing is that in a managed environment the security product handles even pot. unsafe or unwanted applications as though in strict cleaning mode, ie. fully automatically. Link to comment Share on other sites More sharing options...
Bill Lyons 0 Posted October 10, 2019 Author Share Posted October 10, 2019 Marcos, Here are a few of them: Type: (no type given) Cause: Suspicious Object: file:///C:/Windows/system32/en-US/IEFRAME.dll.mui Type: trojan Cause: HTML/ScrInject.B Object: file:///C:/Documents and Settings/[USERNAME REMOVED]/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/MFSTZ8NF/7b973e50[1] Type: potentially unwanted application Cause: OSX/CleanMyMac.A Object: file:///G:/$RECYCLE.BIN/S-1-5-21-2973374289-3595491005-59360181-23882/$RFW5CJ5.dmg/4.hfs Link to comment Share on other sites More sharing options...
CCross 0 Posted October 16, 2019 Share Posted October 16, 2019 Hi guys, I'm going to take advantage of this open topic to throw my question. Is there a way to avoid ESET to mark a threat as resolved even when it blocked, deleted or cleaned the infection? How can I distingish threats marked as resolved by ESET from threats marked as resolved by Administrator? I'm asking you this because as SOC personnel sometimes we need to do further investigation on a particular event even when it was already taken care by ESET itself, we have found diffilculties to track our progress on the Console Threat section cause the filters available let you have a view on resolved vs unresolved threats but do not differentiate between the ones marked as resolved by ESET and the ones marked as resolved by a person. Hope I'm making myself clear. Thanks in advance, Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted October 16, 2019 ESET Staff Share Posted October 16, 2019 @CCross I would try to respond to your question: No, the "auto resolving" applies currently only for detections reported by "antivirus" module. Detections by firewall / hips / and other modules needs to resolved manually. We are tracking improvement for it (internal reference "IDEA-872") It´s not currently possible to track ones that were "resolved automatically" and "resolved manually". Such functionality is currently available only inside our EDR product, Enterprise Inspector. We are as well tracking improvements for both adding the field about who did it (P_ESMC-13329), and also more complex incident workflow management. (IDEA-663) Regards, Michal Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted October 16, 2019 ESET Staff Share Posted October 16, 2019 @Bill Lyons As of now, there are still two "mixed" concepts in ESMC. And that´s Resolved/Unresolved threats, and "Active" threats. I would recommend to not use the "active threats" for the dynamic group creation, as that works only for the AV related detection type, therefore the "count" of computers in that group would not match up (would be smaller as other detection techniques are not counted as "matching criterion". The count of "unresolved" detections column in "computers" pane should reflect the filtered view of "threats" pane for a particular computer. You can verify by going to "computer details", where there is a tab called "Threats". Only threats reported by "Antivirus" are being "marked as resolved" automatically, the other ones, regardless if they were blocked or not, are not automatically resolved. As stated in the post above, this is something to be eventually changed, but intention of "showing them" is that they might indicate some problem, that should be checked by the security staff. resolving of threats on a computer by running a scan (that covers path of that particular threat) works only for AV detection type reported threats. To clear content of the "active threats" DG, you have to execute an in-depth scan, with strict cleaning enabled, covering "all disks". Link to comment Share on other sites More sharing options...
Bill Lyons 0 Posted October 16, 2019 Author Share Posted October 16, 2019 MichalJ, Thank you for updating this with that insight. Ill take this back and run this down with my client. Ill post back later with any follow ups. Link to comment Share on other sites More sharing options...
Recommended Posts