Threat Management

The Threat Management screen appears after you log on to the Threat Mitigator console (or click Threat Management on the left menu bar). In the screen, run security-related tasks that are not configured to run automatically.

Select the target endpoints for each task by using predefined query criteria or by typing the endpoint’s IP address or host name.

Predefined Query Criteria

Click the link for each predefined query criteria. Endpoints included in the query result display in the table at the lower section of the screen.

The following table discusses the tasks you can run on the endpoints included in the query result.

Query Criteria	Description	Tasks
Endpoints that require post- assessment cleanup	Indicates the number of endpoints with security threats that can be eliminated by running post-assessment cleanup The number will always be 0 (zero) if you enabled the option Assess and then automatically run post-assessment cleanup if required on the Mitigation Tasks screen.	Click Require post-assessment cleanup. In the table at the lower section of the screen, select one or more Connected Endpoints and then click Run Cleanup. Check the cleanup result from the Threat Event Logs screen. To open the screen, go to the IP Address column in the table and click the IP address.
Endpoints that require custom cleanup	Indicates the number of endpoints that require custom cleanup When there are unresolved threats on an endpoint after running post-assessment cleanup, submit a case to Trend Micro through TMSP. Trend Micro then provides a solution by issuing either a custom pattern or smart protection patterns (Smart Scan Agent Pattern or Smart Scan Pattern, or both). Threat Mitigator downloads the required pattern. The number will always be 0 (zero) if you enabled the option Automatically deploy the pattern and run custom cleanup in the Mitigation Tasks screen.	Click Require custom cleanup. The patterns needed for custom cleanup (either custom pattern or Smart Scan Agent Pattern) display. Click a pattern. Endpoints requiring custom cleanup display in the table at the lower section of the screen. Select one or more Connected Endpoints and then click Deploy Pattern. After the pattern deploys, the endpoint automatically runs custom cleanup. Check the pattern deployment and custom cleanup results from the Threat Event Logs screen. To open the screen, go to the IP Address column in the table and click the IP address.
Endpoints that require a restart	Indicates the number of endpoints that need to restart Possible reasons: The mitigation exception list was updated during threat mitigation. A restart is required to refresh the list and determine if threat mitigation is still required. Some threats can only be removed completely after a restart. A Threat Management Agent service will only be loaded after a restart. Threat Management Agent was updated, but the new version will only become functional after a restart.	Click Require a restart. In the table at the lower section of the screen, check which endpoints require a restart Instruct endpoint users to restart the endpoint.
Endpoints that encountered On-demand Scan problems	Indicates the number of unsuccessful On-demand Scans launched on the local computer by users. The scan was unsuccessful because one or several infected files were not cleaned.	Click Encountered On-demand Scan problems. In the table at the lower section of the screen, select one or more Connected Endpoints, and then click Launch On-demand Scan to launch the scan remotely. If this scan encounters issues, Threat Management Agent collects forensic data to be sent to TMSP. For Agentless Endpoints, instruct users to repeat the scan.
Endpoints that have been quarantined	Indicates the number of quarantined endpoints with unresolved threats Quarantined endpoints that violated security assessment rules are not counted in this section because they are automatically released when they become compliant.	Click Have been quarantined. In the table at the lower section of the screen, select one or more Connected Endpoints, and then click Release. Check the result under the Connectivity column. An unlock icon should display.
Connected endpoints	Indicates the number of Connected Endpoints. These endpoints may or may not require mitigation.	Click Connected. A list of connected endpoints display in the Endpoint Status screen.
Disconnected endpoints	Indicates the number of Disconnected Endpoints.	To view all disconnected endpoints, click Disconnected. To view only endpoints with agents installed, click Agent Installed. To view only agentless endpoints, click No Agent Installed. A list of disconnected endpoints display in the Endpoint Status screen.

Endpoints' IP Addresses/Host Names

If you type endpoints included in mitigation exceptions, Threat Mitigator will show the endpoints but you cannot deploy a pattern, run custom cleanup, or launch On-demand Scan on these endpoints. For details about mitigation exceptions, see Mitigation Exceptions.

Threat Management screen with the Search endpoint text box and available tasks highlighted

When the endpoints display on the table, click an endpoint’s IP address under the IP Address column to view threat event details for the endpoint.

Submit a Case

When there are unresolved threats in an endpoint after post-assessment cleanup or administrator-initiated On-demand Scan, Threat Management Agent starts to collect forensic data, which you can send to Trend Micro through TMSP.

If you have TMSP as a hosted service, a Trend Micro security expert will inform you about the unresolved threats, and will ask you perform case submission. The security expert then analyzes the threats and then issues a pattern file through TMSP. If the pattern is a custom pattern created specifically for the unresolved threats, Threat Mitigator automatically downloads the custom pattern.

If you have TMSP as an on-premise application, perform case submission and then log on to TMSP’s administrative console to download forensic data. Send the forensic data to Trend Micro for analysis, wait for the pattern file, and then manually upload the pattern to TMSP.