Threat Management
The Threat Management screen appears after you log on to the Threat Mitigator console (or click Threat Management on the left menu bar). In the screen, run security-related tasks that are not configured to run automatically.
Select the target endpoints for each task by using predefined query criteria or by typing the endpoint’s IP address or host name.
Click the link for each predefined query criteria. Endpoints included in the query result display in the table at the lower section of the screen.
Click the endpoint’s IP address under the IP Address column to view threat event details for the endpoint.
Threat Management screen with predefined query criteria highlighted
The following table discusses the tasks you can run on the endpoints included in the query result.
Predefined query criteria |
Query Criteria |
Description |
Tasks |
Indicates the number of endpoints with security threats that can be eliminated by running post-assessment cleanup The number will always be 0 (zero) if you enabled the option Assess and then automatically run post-assessment cleanup if required on the Mitigation Tasks screen. |
|
|
Indicates the number of endpoints that require custom cleanup When there are unresolved threats on an endpoint after running post-assessment cleanup, submit a case to Trend Micro through TMSP. Trend Micro then provides a solution by issuing either a custom pattern or smart protection patterns (Smart Scan Agent Pattern or Smart Scan Pattern, or both). Threat Mitigator downloads the required pattern. The number will always be 0 (zero) if you enabled the option Automatically deploy the pattern and run custom cleanup in the Mitigation Tasks screen. |
|
|
Endpoints that require a restart |
Indicates the number of endpoints that need to restart Possible reasons:
|
|
Endpoints that encountered On-demand Scan problems |
Indicates the number of unsuccessful On-demand Scans launched on the local computer by users. The scan was unsuccessful because one or several infected files were not cleaned. |
|
Endpoints that have been quarantined |
Indicates the number of quarantined endpoints with unresolved threats Quarantined endpoints that violated security assessment rules are not counted in this section because they are automatically released when they become compliant. |
|
Connected endpoints |
Indicates the number of Connected Endpoints. These endpoints may or may not require mitigation. |
Click Connected. A list of connected endpoints display in the Endpoint Status screen. |
Disconnected endpoints |
Indicates the number of Disconnected Endpoints. |
To view all disconnected endpoints, click Disconnected. To view only endpoints with agents installed, click Agent Installed. To view only agentless endpoints, click No Agent Installed. A list of disconnected endpoints display in the Endpoint Status screen. |
In the Search endpoint text box, type any of the following:
One or several valid IP addresses. Separate IP addresses by commas.
A partial IP address (for example, typing 192.168.0 queries all endpoints with IP addresses 192.168.0.1 to 192.168.0.255)
A complete or partial host name
If you specify a partial host name, the product only returns host names starting with the characters you typed. For example, typing "endpoint" returns "endpoint_001" and "endpoint_002", but does not return "jp_endpoint".
If you type endpoints included in mitigation exceptions, Threat Mitigator will show the endpoints but you cannot deploy a pattern, run custom cleanup, or launch On-demand Scan on these endpoints. For details about mitigation exceptions, see Mitigation Exceptions.
Threat Management screen with the Search endpoint text box and available tasks highlighted
When the endpoints display on the table, click an endpoint’s IP address under the IP Address column to view threat event details for the endpoint.
You can run the following tasks on connected endpoints:
Launch On-demand Scan on the selected or all endpoints. If this scan encountered issues, Threat Management Agent collects forensic data to be uploaded to TMSP. To send forensic data, see Submit a Case.
For agentless endpoints, provide the On-demand Scan URL to users and instruct them to launch On-demand Scan. For details, see Running On-demand Scan.
Deploy a pattern to endpoints that require custom cleanup
Run custom cleanup on endpoints with unresolved threats
Release an endpoint from quarantine if all threats have been resolved
When there are unresolved threats in an endpoint after post-assessment cleanup or administrator-initiated On-demand Scan, Threat Management Agent starts to collect forensic data, which you can send to Trend Micro through TMSP.
If you have TMSP as a hosted service, a Trend Micro security expert will inform you about the unresolved threats, and will ask you perform case submission. The security expert then analyzes the threats and then issues a pattern file through TMSP. If the pattern is a custom pattern created specifically for the unresolved threats, Threat Mitigator automatically downloads the custom pattern.
If you have TMSP as an on-premise application, perform case submission and then log on to TMSP’s administrative console to download forensic data. Send the forensic data to Trend Micro for analysis, wait for the pattern file, and then manually upload the pattern to TMSP.
Threat Management screen - Submit a Case section
Case submission cannot be configured to run automatically.
During case submission:
The agent encrypts forensic data and archives it into a .zip file.
Sample .zip file containing forensic data
The agent uploads the .zip file to Threat Mitigator.
Threat Mitigator uploads the .zip file to TMSP.
To perform case submission:
Type the endpoint’s IP address or host name and click Search.
Click Submit.
Check the Current Status field. If there are case submission problems, click Submit again.
See also: