After you Assess a Security Event and determine a file or process is malicious, you can take additional action to remediate the endpoint. The actions that are available for the event vary depending on the security event type and are displayed on the Actions menu for the security event.
Response actions (other than Retrieve Data) require Traps agent 6.0 or a later release.
- Terminate Process—This option is available from security events for which the action is Report and allows you to issue a remote request to the endpoint to terminate the process. This action is available for most process-related security events but excludes Ransomware Protection and Behavioral Threat events.
- Isolate Endpoint—Halt all network access on the endpoint except for traffic to Traps management service. This can prevent a compromised endpoint from communicating with other endpoints thereby reducing an attacker’s mobility on your network. After the Traps agent receives the isolate instruction and carries out the action, the Traps console status shows an Isolated check-in status.To view isolated endpoints, filter the Endpoints for Status : Isolated.After cleaning any malicious files on the endpoint or remediating any issues, you can later Cancel Endpoint Isolation from the Endpoint details page or security event to resume normal endpoint communications.If you need to isolate an endpoint but want to allow access for a specific application, you can whitelist the process. To do this, add or edit an Agent Settings profile that applies to the endpoint, and configure the Isolation Whitelist.For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, you must whitelist the VDI processes and corresponding IP addresses before using the response action.
- Quarantine—If Traps has reported but not yet quarantined malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. The file or process that Traps quarantines depends on the type of security event:
On-demand quarantine is not available for Behavioral Threat events, however you can configure Traps to automatically quarantine the causality group owner (CGO) in your Malware Security profile.
- WildFire events for PEs and DLLs—Traps quarantines the malicious file.
- WildFire events for macros—Traps quarantines the file that contains the malicious macro.
- Ransomware events—Traps quarantines the source process that Traps reported as exhibiting ransomware behavior.
- Child process events—Traps quarantines the target child process that Traps identified as malicious.
Features Introduced in 2019
Introducing new features in the Traps management service by month during 2019. ...
Manage Quarantined Files
Manage Quarantined Files When Traps detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When Traps quarantines malware, Traps ...
Endpoint Logs Endpoint logs include entries for events that are monitored by the Traps agent and are classified with a the system record type. The ...
Assess and Remediate Security Events
Assess and Remediate Security Events What is a Security Event? When the Traps agent identifies an attempt to run a malicious file or process, the ...
Features Introduced in Traps Agent
Describes the new features introduced in Traps agent 6.0 releases. ...
Manage Quarantined Files
Manage Quarantined Files When Traps identifies malware, it blocks the execution of the file. If you enabled Traps to quarantine malware as part of your ...
Traps™ Endpoint Security Manager 4.1 Release Notes
Traps™ Endpoint Security Manager 4.1 Release Notes ...
Add a New Malware Security Profile
Add a New Malware Security Profile Malware security profiles allow you to configure the action Traps takes when known malware and unknown files try to ...