About Mitigation Status Results

This topic discusses the status for the different tasks performed during threat mitigation and On-demand Scan, and the actions to perform when a particular mitigation status displays. The status is recorded in the threat event logs.

Status for Threat Mitigation Tasks

Status	Description and Recommended Actions
No Action Required
Mitigation in progress	Threat Mitigator received an event from a data source and is waiting for the agent to process the mitigation task.
Cleaned threats: All threats cleaned	The agent has cleaned all threats detected on the endpoint.
Rollback successful	The agent successfully rolled back the mitigation action.

Action Required
Assessed endpoint: Manual cleanup needed	The agent detected threats in the endpoint during assessment but did not run cleanup because you have chosen to run cleanup manually. On the Threat Management screen, click the Require post-assessment cleanup link. On the table at the lower section of the screen, select the endpoint and then click Cleanup.
No mitigation: Mitigation exception	The agent cannot perform the mitigation task because a mitigation exception has been satisfied (for example, if the affected endpoint’s IP address is included in the mitigation exception list). Check the threat detected on the endpoint. Consider removing the endpoint from the exception list if you want to run mitigation tasks on the endpoint, and then add the endpoint to the list again after all mitigation tasks have been completed. Note: You can also configure mitigation exceptions from Threat Discovery Appliance. While Threat Discovery Appliance scans IP addresses included in its mitigation exclusion list, it does not send mitigation requests to Threat Mitigator if threats are found. Therefore, IP addresses included in the exclusion list of Threat Discovery Appliance are not listed under this status.
Unsuccessful: mitigation timeout	The agent did not finish a task within a certain time period. The timeout period for the task cannot be configured. Actions: Collect debug information from endpoints. Send the logs to your support provider for analysis.
Unsuccessful: Cannot connect to endpoint	Threat Mitigator notified the agent to run a mitigation task. However, the agent was unreachable for one hour (Threat Mitigator keeps mitigation requests for one hour). Verify the following: The endpoint runs a supported operating system. The endpoint successfully installed the agent and the agent is currently running. The endpoint is up and running, and is able to connect to the network. There is a functional connection between Threat Mitigator and the agent.
Unsuccessful: Cannot run mitigation task on platform	The agent is running and can run mitigation tasks but the endpoint’s operating system does not support the mitigation task. If the endpoint’s operating system supports On-demand Scan, try launching the scan from the Threat Management screen or instruct the user to run the scan directly on the endpoint.
Unsuccessful: Incomplete task	Threat Mitigator restarted and was unable to resume pending mitigation tasks. Collect system logs and then send them to your support provider.
Unsuccessful: Not all threats cleaned	The agent was unable to clean all threats. Review the threats listed in the Clean History tab in the Event Details screen. You can manually remove detected threats that you consider harmless.
Unsuccessful: Agent component problem	Files or components used by the agent may be corrupted. Uninstall the agent, restart the endpoint, and then install the agent.
Unsuccessful: Threat no longer exists or requires verification	The agent cannot locate the threat reported by the data source or further investigation is necessary to confirm the presence of the threat. Actions: Collect debug information from endpoints. Send the logs to your support provider for analysis.
Unsuccessful: Potential threat requires verification	The agent found potential threats. Actions: Collect debug information from endpoints. Send the logs to your support provider for analysis.
Unsuccessful: Agent component error	The agent cannot perform the mitigation task because a component used by the agent encountered an error. Actions: Uninstall the agent, restart the endpoint, and then install the agent. If the same error occurs, collect debug information from endpoints. Send the logs to your support provider for analysis.
Unsuccessful: Corrupted configuration file	A configuration file required to run a mitigation task is corrupted. Actions: Collect debug information from endpoints. Send the logs to your support provider for analysis.
Unsuccessful: Pattern not found	A pattern required to run a mitigation task is not available. Run a manual update from the Threat Mitigator console to download the latest patterns. If the missing pattern is a custom pattern issued by TrendLabs, there may be problems between Threat Management Services and Threat Mitigator. Report this problem immediately to your support provider.
Unsuccessful: Cannot connect to Smart Scan Server	The agent cannot start a mitigation task because it cannot connect to the Smart Scan Server or the Trend Micro Global Smart Scan Server. If the agent has started a mitigation task and then loses connection with both scan servers, it bypasses files requiring a scan query. Users can proceed to access the files. Ensure that smart scan settings are correct and that there is a functional connection between the agent and the scan servers.
Rollback Unsuccessful	The agent was unable to completely roll back files, registry keys, or services because the backup file does not exist or is corrupted. To complete the roll back: Locate the Task ID for the mitigation task from the Event Details screen. Navigate to C:\%WINDIR%\PEAgent\TDME\backup\F\%TaskID% and check if the backup (.dat) files exist. On the %WINDIR%\PEAgent\TDME folder, type the command "TDME.exe /RESTORE %TaskID%". Note: Navigate to the Event Details screen of each task to locate the <TaskID>. If the above steps do not restore files, registry keys, or services, collect debug information from endpoints. Send the log files to your support provider for analysis.

Status for On-demand Scan

When On-demand Scan runs, the status of the scan is recorded in the Threat Event Logs. Users can run On-demand Scan directly on the endpoint. You can also launch it remotely from the Threat Mitigator console. MORE >>

Status	Description and Recommended Actions
No Action Required
Scanned endpoint: No threat found	On-demand Scan did not find threats on the endpoint. Note: The number of files scanned during the scanning session depends on the scan type configured from the Threat Mitigator console.
Cleaned threats: All threats cleaned	On-demand Scan cleaned all the threats detected on the endpoint.

Action Required
Scanned endpoint: No action performed on threats	Users can manually select the threats to clean during On-demand Scan. During the scan, the user chose to leave all the detected threats uncleaned. Check if there is a reason for not cleaning the threats (for example, if the affected files are required to run the endpoint properly). For threats that you believe are safe to access, send threat samples to your support provider for analysis.
Cleaned threats: All selected threats cleaned	During the scan, all the threats that the user selected for cleaning have been cleaned, but some threats have been left uncleaned. Check if there is a reason for not cleaning the remaining threats (for example, if the affected files are required to run the endpoint properly). For threats that you believe are safe to access, send threat samples to your support provider for analysis.
Unsuccessful: Not all threats cleaned	On-demand Scan was unable to clean some threats possibly because of errors in the On-demand Scan program or the agent (if the agent is installed on the endpoint). Actions: Ask the user to run On-demand Scan again to clean the uncleaned threats. If the uncleaned threats cannot be cleaned, collect debug information from endpoints.
Unsuccessful: Not all selected threats cleaned	During the scan, some of the threats that the user selected for cleaning were not cleaned possibly because of errors in the On-demand Scan program or the agent (if the agent is installed on the endpoint). The user also chose to leave some threats uncleaned. Actions: Ask the user to run On-demand Scan again to clean the uncleaned threats. If the uncleaned threats cannot be cleaned, collect debug information from endpoints. Check if there is a reason for not cleaning the threats the user chose not to clean (for example, if the affected files are required to run the endpoint properly). For threats that you believe are safe to access, send threat samples to your support provider for analysis.
Unsuccessful: Cannot connect to Smart Scan Server	On-demand Scan cannot start because the endpoint cannot connect to the Smart Scan Server or the Trend Micro Global Smart Scan Server. If On-demand Scan is in progress and the endpoint then loses connection with both scan servers, On-demand Scan bypasses files requiring a scan query. Users can proceed to access the files. Ensure that smart scan settings are correct and that there is a functional connection between the endpoint and the scan servers.
Unsuccessful: Agent component error	On-demand Scan was launched on an endpoint that has an agent installed. A component used by the agent encountered an error. Actions: Uninstall the agent, restart the endpoint, and then install the agent. If the same error occurs, collect debug information from endpoints. Send the logs to your support provider for analysis.