Response Actions

After you assess a security event and determine a file or process is malicious, you can take additional response actions to remediate the endpoint.
After you Assess a Security Event that occurred on a Windows, Mac, or Linux endpoint and determine a file or process is malicious, you can take additional action to remediate the endpoint. The actions that are available for the event vary depending on the Traps agent version, endpoint operating system, and the security event type. View the available response actions for a security event on the
Actions
menu.

Retrieve Files

This capability is supported on Windows endpoints with Traps 6.1 and later releases.
If during the investigation of a security event, you want to retrieve files from a Windows endpoint, you can initiate a file retrieval request from a security event. You can also retrieve files from up to 10 endpoints outside of a security event.
For each file retrieval request, Traps management service supports up to:
  • 20 files
  • 200MB in total size
In each file retrieval request, you can select one or more of the files associated with the security event.
response-action-retrieve-files-security-event.png
You can also specify additional files that were not reported during the security event from the same endpoint. When specifying additional files, you can either enter the paths one by one (press
Enter
after each completed path) or you can paste a list of paths from a file that contains each path on a new line. To edit a path, double click it.
The request instructs the agent to locate the files on the endpoint and upload them to Traps management service. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the
Actions Tracker
. Traps management service retains retrieved files for up to one week.

Retrieve Data

This capability is supported on Windows, Mac, and Linux endpoints with Traps 6.0 and later releases.
Traps management service provides additional analysis of the memory contents when an exploit security event occurs. To retrieve data and begin analysis, select
Retrieve and Analyze Data
. You can monitor the retrieval and analysis progress on the
Analysis
tab of a security event.

Terminate a Process

This capability is supported on Windows endpoints with Traps 6.0 and later releases and on Mac and Linux endpoints with Traps 6.1 and later releases.
The
Terminate Process
capability is available from security events for which the action is
Report
and allows you to issue a remote request to the endpoint to terminate the process. This action is available for most process-related security events but excludes Ransomware Protection and Behavioral Threat events.

Initiate a Live Terminal

This capability is supported on Windows endpoints with Traps 6.1 and later releases.
To explore and manage files and processes locally on the endpoint, you can Initiate Live Terminal. You can also run Windows commands and run python scripts.

Create an Exception

This capability is supported on Windows, Mac, and Linux with Traps 5.0 and later releases.
From security events related to malware or software exploits, if you disagree with the verdict or otherwise want to override the behavior, you can Create a Process Exception or Create a Hash Exception.

Quarantine a File

This capability is supported on Windows endpoints with Traps 6.0 and later releases and on Mac and Linux endpoints with Traps 6.1 and later releases.
If Traps has reported but not yet quarantined malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. The file or process that Traps quarantines depends on the type of security event:
  • WildFire events for PEs and DLLs—Traps quarantines the malicious file.
  • WildFire events for macros—Traps quarantines the file that contains the malicious macro.
  • Ransomware events—Traps quarantines the source process that Traps reported as exhibiting ransomware behavior.
  • Child process events—Traps quarantines the target child process that Traps identified as malicious.
On-demand quarantine is not available for Behavioral Threat events, however you can configure Traps to automatically quarantine the causality group owner (CGO) in your Malware Security profile.

Isolate an Endpoint

This capability is supported on Windows endpoints with Traps 6.0 and later releases.
When you isolate an endpoint, you halt all network access on the endpoint except for traffic to Traps management service. This can prevent a compromised endpoint from communicating with other endpoints thereby reducing an attacker’s mobility on your network. After the Traps agent receives the instruction to isolate the endpoint and carries out the action, the Traps console status shows an Isolated check-in status. To ensure an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
To view isolated endpoints, filter the Endpoints for
Status: Isolated
.
After cleaning any malicious files on the endpoint or remediating any issues, you can later
Cancel Endpoint Isolation
from the Endpoint details page or security event to resume normal endpoint communications.
If you need to isolate an endpoint but want to allow access for a specific application, you can whitelist the process. To do this, add or edit an Agent Settings profile that applies to the endpoint, and configure the Isolation Whitelist.
For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, you must whitelist the VDI processes and corresponding IP addresses before using the response action.

Related Documentation