Threat Management

Threat Management

The Threat Management screen appears after you log on to the Threat Mitigator console (or click Threat Management on the left menu bar). In the screen, run mitigation tasks that are not configured to run automatically. Tasks include:

The screen also allows you to view endpoints that encountered On-demand Scan problems. If Threat Management Agent exists on the endpoint, you can launch On-demand Scan remotely from the Threat Management screen. For details about launching On-demand Scan remotely, see To launch On-demand Scan remotely:.

Query endpoints by using predefined query criteria or by typing the endpoint’s IP address or host name. After the query, you can begin to run threat mitigation tasks and launch On-demand Scan on the affected endpoints.

Predefined Query Criteria

Click the link for each predefined query criteria to display the affected endpoints in the table at the lower section of the screen.

 

Threat Management screen with predefined query criteria highlighted

The following table discusses the tasks you can perform on the endpoints included in the query result.

Predefined query criteria

Query Criteria

Description

Tasks

Require post-
assessment cleanup

Indicates the number of endpoints that require manual cleanup.

The number will always be 0 (zero) if you enabled automatic cleanup on the Mitigation Tasks screen (by selecting the option Assess and then automatically run cleanup if required). For details about the Mitigation Tasks screen, see Mitigation Tasks.

  1. Click the link to view the affected endpoints in the table at the lower section of the screen.

  2. Select one or more Connected Endpoints and then click Run Cleanup.

  3. Check the cleanup result from the threat event logs. On the IP Address column, you can click the IP address to open the Threat Event Logs screen.

Require custom cleanup

Indicates the number of endpoints that require manual custom cleanup.

When threats are not completely removed from the endpoint after either manual or automatic cleanup, a TrendLabs security expert informs you can submit a case to TrendLabs. TrendLabs then provides a solution by issuing either a custom pattern through Threat Management Services or smart scan related patterns (Smart Scan Agent Pattern or Smart Scan Pattern, or both). After Threat Mitigator obtains the required pattern, the number in this area is updated to allow you to deploy the pattern and run custom cleanup on the affected endpoint.

The number will always be 0 (zero) if you enabled automatic custom cleanup on the Mitigation Tasks screen (by selecting the option Automatically deploy the pattern and run cleanup).

  1. Any of the links below this area indicates the pattern (either custom pattern or Smart Scan Agent Pattern) needed to run custom cleanup. Click a link to view the affected endpoints in the table at the lower section of the screen.

    • If the required pattern is not yet available or has not been downloaded by Threat Mitigator, the pattern version will not display in the query result.

  2. Select one or more Connected Endpoints and then click Deploy Pattern. After the pattern deploys, endpoints run custom cleanup.

  3. Check the pattern deployment and custom cleanup results from the threat event logs. On the IP Address column, you can click the IP address to open the Threat Event Logs screen.

Encountered On-demand Scan problems

Indicates the number of endpoints (with or without Threat Management Agent installed) where user-initiated On-demand Scan was launched. The scan was unsuccessful because one or several infected files were not cleaned.

  • Unsuccessful On-demand Scans initiated by administrators are not counted in this section. Instead, Threat Management Agent collects endpoint data, which you can then send to TrendLabs through Threat Management Services.

  1. Click the link to view the affected endpoints in the table at the lower section of the screen.

  2. For Agentless Endpoints, instruct users to repeat the scan.

  3. For Connected Endpoints, select one or more endpoints and then click Launch On-demand Scan to repeat the scan. If this scan encountered issues, Threat Management Agent collects endpoint data to be sent to TrendLabs.

Connected

Indicates the number of Connected Endpoints. These endpoints may or may not require mitigation.

  1. Click the link to display the affected endpoints in the table at the lower section of the screen.

  2. Check the Current Status column for endpoints that require mitigation or encountered problems executing certain tasks.

Disconnected

Indicates the number of Disconnected Endpoints. If these endpoints require mitigation, mitigation tasks will only run when connection to Threat Mitigator is established.

  • Endpoints with agents reporting to other Threat Mitigator servers, or agentless endpoints that have run On-demand Scan are also considered "Disconnected".

  1. Click the link to display the affected endpoints in the table at the lower section of the screen.

  2. Click the icon under Connection Status to run a test connection. The icon turns green if connection was restored.

Endpoints' IP Addresses/Host Names

Type any of the following to display endpoints in the table at the lower section of the screen:

 

Threat Management screen with the Search endpoints text box highlighted

When the endpoints display on the table, you can run the following tasks on connected endpoints:

Submit a Case to TrendLabs

When post-assessment cleanup (manual or automatic) was unable to remove threats completely, Threat Management Agent starts to collect endpoint data. When data collection is complete, a Trend Micro security expert notifies you to send the data to TrendLabs so that the threat can be analyzed and a targeted solution can be issued.

 

Threat Management screen - Submit a Case to TrendLabs section

  1. Type the IP address or host name provided by the security expert and click Search.

  2. Click Submit. Threat Management Agent sends the data to Threat Mitigator, which then uploads the data to Threat Management Services. These tasks run automatically and the status for each task is displayed in the Current Status field. If there are problems related to these tasks, click Submit again.

See also: