Managing the Endpoint Protection Solution

This article explains how to manage the EPP agents you have installed on your endpoints.

Overview

There are various actions you can take to manage the EPP agents deployed in your environment. Agents perform one action at a time, you can choose to terminate an action any time and after 7 days if an action is not taken it expires.

The actions you can take on an endpoint are:

Note

Note: Upload logs and Reinstall Drivers can only be triggered by a Cato representative, pending admin approval.

Protecting Cato's EPP Solution

Cato's EPP has Anti-Tampering protection enabled by default. This protects the processes, files, services, and registries used by the EPP solution from malicious modifications or kill attempts. This also protects against unintentional enduser actions that might compromise security.

Disabling Protection of EPP

You can temporarily unlock the Anti-Tamping protection for 15 minutes, for example, if you need to uninstall the solution. After this time, or if the endpoint is rebooted, Anti-Tampering protection is reenabled.

To unlock protection:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed.

  2. Click the three dots (Three_Dots.png) on the endpoint that you are unlocking protection.

  3. Click Unlock Anti-Tamper.

    Anti-tampering protection is temporally disabled.

Removing EPP from an Endpoint

If EPP is no longer required on an endpoint, it can be uninstalled and, if necessary, deleted from your account. After the solution is uninstalled, the EPP engines cannot scan for malicious activity and no Events are reported. The endpoint remains on the Protected Endpoint table until it is deleted.

Uninstalling and Deleting an Endpoint

You can uninstall EPP from an endpoint and delete the endpoint from your account in a single action.

Note

Note: Supported from EPP Agent v1.1. If you try to delete and uninstall EPP Agent v1.0, no action is taken until the Agent is upgraded to v1.1.

To uninstall and Delete an Endpoint:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed

  2. Click on the three dots (Three_Dots.png) on the endpoint that you are deleting.

  3. Click Remove Endpoint.

    The Remover Endpoint dialog box is displayed.

  4. Click Remove Endpoint & Uninstall Agent.

    EPP is uninstalled from the endpoint and the endpoint is deleted from your account.

Uninstalling an Endpoint

You can uninstall EPP on an endpoint so that the EPP engines cannot scan for malicious activity and no Events are reported. Until the endpoint is deleted, it is visible on the Protected Endpoint table.

To uninstall an endpoint:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed.

  2. Click on the three dots (Three_Dots.png) on the endpoint that you are uninstalling.

  3. Click Uninstall Agent.

    The Uninstall Agent dialog box is displayed.

  4. Click Uninstall Agent.

    EPP is uninstalled from the endpoint.

Deleting an Endpoint

If EPP is no longer installed on an endpoint, the endpoint can be deleted from the Protected Endpoint table.

Note

Note: Do not delete an endpoint from the Protected Endpoint table before EPP has been uninstalled.

To delete an endpoint:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

    The Protected Endpoints screen is displayed.

  2. Click on the three dots (Three_Dots.png) on the endpoint that you are deleting.

  3. Click Remove Endpoint.

    The Remove Endpoint dialog box is displayed.

  4. Click Remove Endpoint.

    The endpoint is deleted from the Protected Endpoints screen.

Terminating an Action

After an action is created, you can terminate it at any time.

To terminate an action:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

  2. Click the Actions History tab.

  3. Click on the three dots (Three_Dots.png) on the action you are terminating.

  4. Click Cancel Action.

Reviewing Endpoint Actions 

You can view the near real-time status and history of actions sent to the EPP agent. The EPP agent sends an update on the status of an action it has received every 30 seconds.

Note

Note: Actions can be reviewed from agent version 1.2 and higher.

Actions_EPP.png

To review endpoint actions:

  1. From the navigation menu, click Monitoring > Protected Endpoints.

  2. Click the Actions History tab.

Understanding the Actions History Table Columns

The following table describes the Actions History table.

Column

Explanation

Action ID

Unique reference of the action.

Endpoint ID

Unique ID of the EPP agent.

Created On

Time stamp of when the action was created.

Endpoint Name

Computer name of the endpoint.

Action

Action taken on the endpoint.

Status

The near real-time status of the action. Possible statuses are:

  • Pending: The action has been sent to the EPP agent but it has not been delivered.

  • Delivered: The action has been received by the EPP agent, but it has not been run.

  • Running: The action is running.

  • Done: The action has completed successfully.

  • Expired: The action was not taken after 7 days.

  • Termination-Pending: A termination request of the action has been sent to the EPP agent, but it has not been received.

  • Termination-Delivered: A termination request of the action has been received by the EPP agent.

  • Terminated: The action is stoped.

  • Error: An issue has occurred

Details

Additional information about the action.

Last Update Time

Time stamp of the last time an update on the action was received.

Created By

The admin that created the action.

Endpoint Status

The status of the endpoint.

Was this article helpful?

1 out of 1 found this helpful

0 comments

Add your comment