Threat Management

Threat Management

The Threat Management screen appears after you log on to the Threat Mitigator console (or click Threat Management on the left menu bar). In the screen, run security-related tasks that are not configured to run automatically.

Select the target endpoints for each task by using predefined query criteria or by typing the endpoint’s IP address or host name.

Predefined Query Criteria

Click the link for each predefined query criteria. Endpoints included in the query result display in the table at the lower section of the screen.

 

Threat Management screen with predefined query criteria highlighted

The following table discusses the tasks you can run on the endpoints included in the query result.

Predefined query criteria

Query Criteria

Description

Tasks

Endpoints that require post-
assessment cleanup

Indicates the number of endpoints with security threats that can be eliminated by running post-assessment cleanup

The number will always be 0 (zero) if you enabled the option Assess and then automatically run post-assessment cleanup if required on the Mitigation Tasks screen.

  1. Click Require post-assessment cleanup.

  2. In the table at the lower section of the screen, select one or more Connected Endpoints and then click Run Cleanup.

  3. Check the cleanup result from the Threat Event Logs screen. To open the screen, go to the IP Address column in the table and click the IP address.

Endpoints that require custom cleanup

Indicates the number of endpoints that require custom cleanup

When there are unresolved threats on an endpoint after running post-assessment cleanup, submit a case to Trend Micro through TMSP. Trend Micro then provides a solution by issuing either a custom pattern or smart protection patterns (Smart Scan Agent Pattern or Smart Scan Pattern, or both). Threat Mitigator downloads the required pattern.

The number will always be 0 (zero) if you enabled the option Automatically deploy the pattern and run custom cleanup in the Mitigation Tasks screen.

  1. Click Require custom cleanup. The patterns needed for custom cleanup (either custom pattern or Smart Scan Agent Pattern) display.

  2. Click a pattern. Endpoints requiring custom cleanup display in the table at the lower section of the screen.

  3. Select one or more Connected Endpoints and then click Deploy Pattern. After the pattern deploys, the endpoint automatically runs custom cleanup.

  4. Check the pattern deployment and custom cleanup results from the Threat Event Logs screen. To open the screen, go to the IP Address column in the table and click the IP address.

Endpoints that require a restart

Indicates the number of endpoints that need to restart

Possible reasons:

  • The mitigation exception list was updated during threat mitigation. A restart is required to refresh the list and determine if threat mitigation is still required.

  • Some threats can only be removed completely after a restart.

  • A Threat Management Agent service will only be loaded after a restart.

  • Threat Management Agent was updated, but the new version will only become functional after a restart.

  1. Click Require a restart.

  2. In the table at the lower section of the screen, check which endpoints require a restart

  3. Instruct endpoint users to restart the endpoint.

Endpoints that encountered On-demand Scan problems

Indicates the number of unsuccessful On-demand Scans launched on the local computer by users. The scan was unsuccessful because one or several infected files were not cleaned.

  1. Click Encountered On-demand Scan problems.

  2. In the table at the lower section of the screen, select one or more Connected Endpoints, and then click Launch On-demand Scan to launch the scan remotely. If this scan encounters issues, Threat Management Agent collects forensic data to be sent to TMSP.

  3. For Agentless Endpoints, instruct users to repeat the scan.

Endpoints that have been quarantined

Indicates the number of quarantined endpoints with unresolved threats

Quarantined endpoints that violated security assessment rules are not counted in this section because they are automatically released when they become compliant.

  1. Click Have been quarantined.

  2. In the table at the lower section of the screen, select one or more Connected Endpoints, and then click Release.

  3. Check the result under the Connectivity column. An unlock icon should display.

Connected endpoints

Indicates the number of Connected Endpoints. These endpoints may or may not require mitigation.

Click Connected. A list of connected endpoints display in the Endpoint Status screen.

Disconnected endpoints

Indicates the number of Disconnected Endpoints.

To view all disconnected endpoints, click Disconnected.

To view only endpoints with agents installed, click Agent Installed.

To view only agentless endpoints, click No Agent Installed.

A list of disconnected endpoints display in the Endpoint Status screen.

Endpoints' IP Addresses/Host Names

In the Search endpoint text box, type any of the following:

If you type endpoints included in mitigation exceptions, Threat Mitigator will show the endpoints but you cannot deploy a pattern, run custom cleanup, or launch On-demand Scan on these endpoints. For details about mitigation exceptions, see Mitigation Exceptions.

 

Threat Management screen with the Search endpoint text box and available tasks highlighted

When the endpoints display on the table, click an endpoint’s IP address under the IP Address column to view threat event details for the endpoint.

You can run the following tasks on connected endpoints:

Submit a Case

When there are unresolved threats in an endpoint after post-assessment cleanup or administrator-initiated On-demand Scan, Threat Management Agent starts to collect forensic data, which you can send to Trend Micro through TMSP.

If you have TMSP as a hosted service, a Trend Micro security expert will inform you about the unresolved threats, and will ask you perform case submission. The security expert then analyzes the threats and then issues a pattern file through TMSP. If the pattern is a custom pattern created specifically for the unresolved threats, Threat Mitigator automatically downloads the custom pattern.

If you have TMSP as an on-premise application, perform case submission and then log on to TMSP’s administrative console to download forensic data. Send the forensic data to Trend Micro for analysis, wait for the pattern file, and then manually upload the pattern to TMSP.

 

Threat Management screen - Submit a Case section

During case submission:

  1. The agent encrypts forensic data and archives it into a .zip file.

  2.  

    Sample .zip file containing forensic data

  3. The agent uploads the .zip file to Threat Mitigator.

  4. Threat Mitigator uploads the .zip file to TMSP.

  1. Type the endpoint’s IP address or host name and click Search.

  2. Click Submit.

  3. Check the Current Status field. If there are case submission problems, click Submit again.

See also: