Monitoring and Responding to Endpoint Protection Threats

This article explains how to monitor and respond to threats identified by Cato's Endpoint Protection (EPP) engines.

Overview

To increase your awareness of potential threats for your endpoints and endusers, you can view and analyze details of potential threats to determine how to respond. If potentially malicious activity is identified by an EPP engine, an Event is created containing the relevant information. The EPP events provides key information about the identified threat for example, the endpoint the threat occurred on, the time and date of the threat, and the name of the file that triggered the event. For more information about analyzing events, see Analyzing Events in Your Network.

You can also view and overview of threats detected by EPP in your network from the Endpoint Protection Dashboard.

Files that are identified a malicious can be encrypted and quarantined, depending on your protection settings. You can view quarantined files and if considered safe, restore them to their original location.

Identifying Endpoint Protection Threats

View all the events triggered by endpoint protection within a defined timeframe. The Engine Type field provides information about which engine triggered the event.

Note: An event can take 6 minutes to be created after a file is blocked.

To identify threats on your endpoints:

  1. From the navigation menu, click Monitoring > Events.

  2. In the events filter bar, click the Add icon.

    The Add Filter window opens.

  3. From the Field drop down, select Sub-Type.

  4. Form the Operator drop down, select Is.

  5. From the Value drop down, select EPP Malware

  6. Click Update Filter.

    The threats identified by EPP are displayed.

Understanding Event Fields

The following table lists the event fields in a EEP Malware event.

Field Name

Description

Action

Action that is relevant to the event type.

Mitigation Actions Taken

Action taken by EPP. Mitigation actions are:

  • Deny: The SDP user is denied access to the file

  • Disinfect Only: The malicious content identified in the file is removed. If this fails, the file remains in its current location

  • Disinfect delete: The malicious content identified in the file is removed. If this fails, the file is deleted

  • Delete: The file is deleted

  • Move to quarantine: The file is moved to quarantine and deleted

  • Ignore: No action is taken

Client Version

Version number of EPP.

Device Name

Computer name of the endpoint.

Endpoint ID

Unique ID of the EEP agent.

Engine Type

Engine that detected the threat.

Endpoint Protection Profile

EEP profile on the endpoint.

Event Count

Count for events that are repeated multiple times during one minute.

Sub-Type

Sub-Type category of the event.

Event Type

Category of the event.

File Hash

File hash of the suspicious file.

File Name

File path and name of suspicious file.

File Operation

Action the enduser took to trigger the event.

ISP Name

ISP the endpoint is connected to.

Logged In User

Enduser logged in at the time of the event.

Object Name

File path and name of suspicious file.

OS Type

Endpoint operating system.

OS Version

Endpoint operating system version.

User SID

SID of the endpoint.

Quarantining Files

If your Protection setting is set to Block and Remediate, EPP encrypts and quarantines malicious files. This prevents the enduser from accessing the file and prevents harmful processes from running on the endpoint. Quarantining potential threats ensures your endpoints remain secure and reduces the risk of infection across your environment.

You can monitor quarantined files and restore them to their original location if they are safe.

Monitoring Quarantined Files

You can monitor the files that have been quarantined on each endpoint.

To review quarantined files:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints table is displayed.

  2. In the Quarantine Files column, click the number of the endpoint that want to view the quarantined files of.

    The quarantined files on the endpoint are displayed.

    Note

    Note: If the Quarantine Files column is blank, no quarantined files have been found on the endpoint

Restoring Quarantined Files

If a file has been mistakenly quarantined error or if you consider the file to be safe, you can restore it to the original location on the endpoint. The enduser can then access the file. After a file is restored from quarantine, it is added to the Allow List.

To restore quarantined files:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints table is displayed.

  2. In the Quarantine Files column, click the number of the row of the endpoint you want to restore a quarantined file from.

    The Quarantine table is displayed.

  3. On the file you want to restore, click on the three dots at the end of the table.

  4. Click Restore.

    The file is restored to its original location.

Was this article helpful?

1 out of 1 found this helpful

0 comments

Add your comment