Retro Scan in Endpoint Sensor

Retro Scan investigates historical events and their activity chain based on a specified search condition. The results can be viewed as a mind map showing the execution flow of any suspicious activity. This facilitates the analysis of the enterprise-wide chain of events involved in a targeted attack.  

Retro Scan uses the following object types for its investigation:

  • DNS record

  • IP address

  • File name

  • File path

  • SHA-1 hash values

  • MD5 hash values

  • User account

Retro Scan queries a normalized database containing an endpoint's historical events. Compared to a traditional log file, this method uses less disk space and consumes less resources.