Response Actions

After you Assess a Security Event and determine a file or process is malicious, you can take additional action to remediate the endpoint. The actions that are available for the event vary depending on the security event type and are displayed on the Actions menu for the security event.
tms-response-actions.png
Response actions (other than Retrieve Data) require Traps agent 6.0 or a later release.
  • Terminate Process—This option is available from security events for which the action is Report and allows you to issue a remote request to the endpoint to terminate the process. This action is available for most process-related security events but excludes Ransomware Protection and Behavioral Threat events.
  • Isolate Endpoint—Halt all network access on the endpoint except for traffic to Traps management service. This can prevent a compromised endpoint from communicating with other endpoints thereby reducing an attacker’s mobility on your network. After the Traps agent receives the isolate instruction and carries out the action, the Traps console status shows an Isolated check-in status.
    To view isolated endpoints, filter the Endpoints for Status : Isolated.
    After cleaning any malicious files on the endpoint or remediating any issues, you can later Cancel Endpoint Isolation from the Endpoint details page or security event to resume normal endpoint communications.
    If you need to isolate an endpoint but want to allow access for a specific application, you can whitelist the process. To do this, add or edit an Agent Settings profile that applies to the endpoint, and configure the Isolation Whitelist.
    For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, you must whitelist the VDI processes and corresponding IP addresses before using the response action.
  • Quarantine—If Traps has reported but not yet quarantined malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. The file or process that Traps quarantines depends on the type of security event:
    • WildFire events for PEs and DLLs—Traps quarantines the malicious file.
    • WildFire events for macros—Traps quarantines the file that contains the malicious macro.
    • Ransomware events—Traps quarantines the source process that Traps reported as exhibiting ransomware behavior.
    • Child process events—Traps quarantines the target child process that Traps identified as malicious.
    On-demand quarantine is not available for Behavioral Threat events, however you can configure Traps to automatically quarantine the causality group owner (CGO) in your Malware Security profile.

Related Documentation