Threat Management

Threat Management

The Threat Management screen appears after you log on to the Threat Mitigator console (or click Threat Management on the left menu bar). In the screen, run mitigation tasks that are not configured to run automatically. Tasks include:

• Running post-assessment cleanup

• Submitting a case to TrendLabs

• Deploying a custom pattern issued by TrendLabs

The screen also allows you to view endpoints that encountered On-demand Scan problems. If Threat Management Agent exists on the endpoint, you can launch On-demand Scan remotely from the Threat Management screen.

Query endpoints by using predefined query criteria or by typing the endpoint’s IP address or host name. After the query, you can begin to run threat mitigation tasks and launch On-demand Scan on the affected endpoints.

Threat Management: Endpoint Query

Query endpoints by using predefined query criteria or by typing the endpoints' IP addresses/host names.

• Predefined query criteria. MORE >>

  Click the link for each predefined query criteria to display the affected endpoints in the table at the lower section of the screen.

  Predefined Query Criteria	Description	Tasks
  Require post-assessment cleanup	Indicates the number of endpoints that require manual cleanup. The number will always be 0 (zero) if you enabled automatic cleanup on the Mitigation Tasks screen (by selecting the option Assess and then automatically run cleanup if required).	Click the link to view the affected endpoints in the table at the lower section of the screen. Select one or more connected endpoints and then click Run Cleanup. Check the cleanup result from the threat event logs. On the IP Address column, you can click the IP address to open the Threat Event Logs screen.
  Require custom cleanup	Indicates the number of endpoints that require manual custom cleanup. MORE >> When threats are not completely removed from the endpoint after either manual or automatic cleanup, you can submit a case to TrendLabs. TrendLabs then issues a custom pattern to eliminate the threats. After Threat Mitigator downloads the custom pattern, the number in this area is updated to allow you to deploy the pattern and run custom cleanup on the affected endpoint. The number will always be 0 (zero) if you enabled automatic custom cleanup on the Mitigation Tasks screen (by selecting the option Automatically deploy the pattern and run cleanup).	Any of the links below this area indicates the custom pattern needed to run custom cleanup. Click a link to view the affected endpoints in the table at the lower section of the screen. Select one or more connected endpoints and then click Deploy Pattern. After the pattern deploys, endpoints run custom cleanup. Check the pattern deployment and custom cleanup results from the threat event logs. On the IP Address column, you can click the IP address to open the Threat Event Logs screen.
  Encountered On-demand Scan problems	Indicates the number of endpoints (with or without Threat Management Agent installed) where user-initiated On-demand Scan was launched. The scan was unsuccessful because one or several infected files were not cleaned. Note: Unsuccessful On-demand Scans initiated by administrators are not counted in this section. Instead, Threat Management Agent collects endpoint data, which you can then send to TrendLabs through Threat Management Services.	Click the link to view the affected endpoints in the table at the lower section of the screen. For agentless endpoints, instruct users to repeat the scan. For connected endpoints, select one or more endpoints and then click Launch On-demand Scan to repeat the scan. If this scan also encountered problems, Threat Management Agent collects endpoint data to be sent to TrendLabs.
  Connected	Indicates the number of endpoints with Threat Management Agents that can connect to Threat Mitigator. These endpoints may or may not require mitigation. An agent is considered "connected" if it was able to send a heartbeat message to Threat Mitigator at the specified time interval (15 minutes by default). Configure the time interval from the Agent Settings screen.	Click the link to display the affected endpoints in the table at the lower section of the screen. Check the Current Status column for endpoints that require mitigation or encountered problems executing certain tasks.
  Disconnected	Indicates the number of endpoints with Threat Management Agents that cannot connect to Threat Mitigator. An agent is considered "disconnected" if it was unable to send a heartbeat message to Threat Mitigator at the specified time interval. The number may also include endpoints with agents reporting to other Threat Mitigator servers, or agentless endpoints that have run On-demand Scan.	Click the link to display the affected endpoints in the table at the lower section of the screen. Click the icon under Connection Status to run a test connection. The icon turns green if connection was restored.

   

• Endpoints' IP addresses/host names. MORE >>

  Type any of the following to display endpoints in the table at the lower section of the screen:

  • One or several valid IP addresses. Separate IP addresses by commas.

  • A partial IP address (for example, typing 192.168.0 queries all endpoints with IP addresses 192.168.0.1 to 192.168.0.255)

  • One or several complete/partial host names. Separate host names by commas.

  • Note: Endpoints listed in the Mitigation Exceptions screen can be queried but you cannot deploy a custom pattern, run cleanup, or launch On-demand Scan on these endpoints.

  When the endpoints display on the table, you can run the following tasks on connected endpoints:

  • Launch On-demand Scan. If this scan encountered problems, Threat Management Agent collects endpoint data to be sent to TrendLabs.

  • Note: For agentless endpoints, provide the On-demand Scan URL to users and instruct them to launch On-demand Scan. The URL can be found on the Threat Mitigator's logon screen and on the On-demand Scan screen.

  • Deploy a custom pattern (recommended on endpoints that require custom cleanup).

  • Run cleanup (recommended on endpoints that require post-assessment cleanup).

Submit a Case to TrendLabs

When post-assessment cleanup (manual or automatic) was unable to remove threats completely, Threat Management Agent starts to collect endpoint data. When data collection is complete, a Trend Micro security expert may request you to send the data to TrendLabs so that a custom pattern can be issued to respond to the threats.

To submit a case to TrendLabs:

1. Type the IP address or host name provided by the security expert and click Search.

2. Click Submit. Threat Management Agent sends the data to Threat Mitigator, which then uploads the data to Threat Management Services. These tasks run automatically and the status for each task is displayed in the Current Status field. If there are problems related to these tasks, click Submit again.

See also:

• On-demand Scan

• Threat Mitigator Components

• Mitigation Patterns