Managing threats, items in the process of classification, and quarantine

Advanced EDR provides a balance between the effectiveness of the security service and the impact on the daily activities of protected users. This is achieved through tools that enable you to manage the way detected items are blocked from executing:

  • Programs classified as malware.

  • Programs classified as PUPs.

  • Programs classified as exploits.

  • Programs classified as viruses.

  • Unknown programs in the process of classification.

  • Network attacks.

For more information about how to allow the execution of unknown programs in the process of classification, see Authorized software settings.
For more information about the Hardening and Lock modes of the advanced protection, see Advanced protection.

Introduction to threat management tools

You can change the behavior of Advanced EDR with regard to found threats and unknown files in the process of classification using these tools:

  • Unblock unknown processes.

  • Allow the execution of programs classified as malware, PUP, or exploit.

  • Do not detect a network attack again.

  • Change the Advanced EDR reclassification policy.

  • Manage the backup/quarantine area.

Unblock unknown processes

Advanced EDR automatically analyzes and classifies all unknown processes in the first 24 hours after detection on a workstation or server. This process classifies the process as goodware or malware and shares the classification with all Cytomic customers.

To strengthen the security of the computers on the network, Advanced EDR provides Hardening and Lock modes in the advanced protection settings. In both modes, the security software blocks processes during the classification process to prevent potential risks. Classification is performed in two ways:

  • Automated analysis: Primary method of classification. Machine learning processes analyze samples in real time.

  • Manual analysis: If the automated analysis cannot return a classification of the unknown process with 99.999% certainty, then a malware expert manually analyzes a sample of the process. This analysis can take a short period of time to complete.

In circumstances where classification is not immediate, you can allow a blocked item after the security software detects and blocks it. Advanced EDR provides several strategies to do this:

  • Reactive unblocking: You allow the execution of an unknown program in the process of classification after a user tries to use it and Advanced EDR detects and blocks it. For more information, see Allowing blocked items to run.

  • Proactive unblocking: You make sure that unknown programs are never blocked, preventing any negative impact on user performance. For more information, see Authorized software settings.

Allow the execution of programs classified as malware, PUP, or exploit

Administrators can allow software that Advanced EDR classified as a threat. For example, a toolbar with extra search capabilities classified as a PUP. For more information, see Allowing blocked items to run.

Do not detect a network attack again

When Advanced EDR detects traffic behavior that it suspects to be a network attack, Network Attack Protection prevents this traffic from reaching user computers. If you do not consider the traffic behavior a threat, you can create an exclusion for the source IP address and the type of attack.

Change the reclassification policy

If you unblock an unknown item that was previously blocked Advanced EDR, the classification process, after some time, catalogs the item as malware or goodware. If it is classified as goodware, then there are no additional steps to continue to allow the item to run. If it is classified as malware, then the reclassification policy is applied. The reclassification policy enables you to define the behavior of Advanced EDR for this item. For more information, see Reclassification policy.

Manage the backup/quarantine area

You have tools to restore items considered to be threats deleted from user computers.

Security software behavior

Known files

If a known file is classified as malware, PUP, or exploit and the advanced protection operating mode is Hardening or Lock, then Advanced EDR blocks the file, unless the administrator allows it to run.

Action diagram for known, classified processes

Unknown files

Action diagram for unknown files

When an unknown file is in the process of classification and the advanced protection operating mode is Hardening or Lock, then:

  • If you have not configured the unblocking of files:

    • The security software blocks the file.

    • Advanced EDR allows the file to run if, after classification, the file is determined to be goodware.

    • Advanced EDR prevents the file from running if, after classification, the file is determined to be malware.

  • If you have configured the unblocking of files:

    • Advanced EDR allows the file to run while the classification process completes.

    • If the file is goodware, Advanced EDR continues to allow the file to run.

    • If the file is malware, Advanced EDR allows or does not allow the file to run based on the reclassification policy. For more information, see Reclassification policy.