About Risk Levels and Endpoint Statuses

The assessment tool scans system files, memory, and processes on endpoints to detect security threats. During a scan, the assessment tool rates each detected file or process and assigns a risk level to endpoints based on the aggregated ratings.


  • Malware signatures
  • Known exploit code
  • Unsigned executable files
  • Memory residency
  • Connection to unknown network destinations; opening of ports
Table 1. Security Risk Levels

Risk Level



A file or process that exhibits highly suspicious characteristics commonly associated with malware.

An endpoint that contains one or more high-risk files or processes.


A file or process that exhibits moderately suspicious characteristics that are also associated with benign applications.

An endpoint that contains one or more medium-risk files or processes.


A file or process that exhibits mildly suspicious characteristics that are most likely benign.

An endpoint that contains one or more low-risk files or processes.

Endpoints can have one of the following statuses.

Table 2. Endpoint Statuses




The assessment tool has completed a scan on an endpoint and the scan result was successfully sent to the Advanced Threat Assessment Service server.

Under Assessment

The assessment tool is performing a scan on an endpoint. The scanning process is performed in the background and does not affect user activity on an endpoint.

With Error

The server is unable to obtain the scan results from an endpoint due to an error.

For example:
  • An endpoint is shut down before a scan is complete.

  • A scan is stopped before completion.

  • The scan report is not sent to the server within the timeout period.

  • The server is unable to communicate with an endpoint.