Handling Threats
Analysis > Threats > Management provides Threats handling settings for Maliware and XBA Threats.
| Item | Description |
|---|---|
| Safe | Exclude selected Threats as Safe. |
| Malicious-Response | Registers response settings for the selected Threats. |
| Pending | Treats the Threats verdict for the selected Threats as Hold. |
| Reset | Resets the Threats verdict for the selected Threats to a new state. |
Threats file response and exception handling
The agent can respond primarily to files detected as Threats, but In the Users UI, you can set 'React immediately' for files or perform 'React commands' for individual Endpoints. In addition, if a file with the same MD5 hash value is detected in the future, users can set whether to prevent separate confirmation or continue displaying threats through Management.
- If you want to respond after checking basic information about a file, click the Threats Analysis button in the Threats list in Management.
- You can handle immediate response, exception handling, and false positive report on the right Management screen of the detailed list.
- On the ThreatsSystem screen, if you click I am responsible, users can directly handle malicious/safe/hold settings for currently detected files.
- Depending on the Threats judgment selection value, detailed response and exception handling screens are displayed.
Malicious file/process response
| Item | Settings | Description |
|---|---|---|
| ResponsePolicy | Default | If the file is detected again, it is processed according to the rules set in Group Policy-Response. |
| ResponsePolicy | Notify | If the file is detected again, it immediately triggers an notify event on Endpoints. |
| ResponsePolicy | Kill Process | When the corresponding process (file X) is detected, it immediately issues a process kill event to Endpoints. |
| Response Policy | Delete File | Promptly forward a file deletion event to Endpoints when the file is detected again. The file is quarantined in the c:\program files\geni\insights\Isolate folder, and the file is deleted after a certain period of time has elapsed. |
| Auto Resolve | - | When a file with the same MD5 hash value is detected again, the processing status is automatically changed to Resolved without displaying it in the Analysis menu. |
| Notes | - | Users can take notes about detected Threats. |
- In case of a malicious file, you can select a malicious item and set the response policy.
- Click the Settings Complete button for the malicious file, and the set response policy will be executed immediately.
- If you want to set the Threats Response Policy for a detected file without checking basic information, select the list displayed in the Threats list and the Threats Response Policy button is displayed at the top of the screen.
If automatic resolution is selected for malicious files, the next time the same file is detected again, it is treated as resolved rather than registered as a new file in the Analysis screen. Even if duplicates are detected, if it is determined that the user's confirmation is necessary, the automatic resolution option should be turned off.
Batch Threats response policy (notify, process termination, deletion) can be set in the list, not the Management screen, and the basic operation is the same as the response policy of 1.
Malicious file/process exception handling
If the detected file is a false positive, settings for exception handling are also performed in the Management menu.
| Item | Description |
|---|---|
| Notes | Users can write notes about detected files. |
| Reporting false positives | Reports false positives to Ecosystem through false positive reporting in case of a normal file but false positives.File information reported as false detection will be registered in the Goodware DB later. |
If it is detected as a Threats file, but users cannot determine whether it is malicious or there is insufficient information to be confirmed through external links, the response to the file can be withheld. The target of the hold can be primarily files detected by machine learning.