Details of blocked programs

Advanced EDR provides extended details of programs blocked by any of the advanced detection technologies it incorporates:

Malware and PUP detection
Exploit detection
Vulnerable driver
Block by advanced security policy
Block of unknown programs in the process of classification and history of blocked programs

Malware and PUP detection

Accessing the Malware Details and PUP Details pages

From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows all available lists.
Select the Malware and PUP activity list.
Set the filters and click the Launch query button. A list opens that shows all items classified as malware or PUP.
From the list, select an item. The Malware detection or PUP detection page opens.

Or:

From the top menu, select Status. From the side panel, select Security. A page opens that shows all widgets associated with the security module.
Click the Malware activity or PUP activity widget.
Set the filters and click the Launch query button. A list opens that shows all items classified as malware or PUP.
From the list, select an item. The Malware detection or PUP detection page opens.

The details page is divided into several sections:

Overview.
Affected computer.
Threat impact on the computer.
Infection source.
Occurrences on other computers.

Overview

Field	Description	Values
Threat	Name of the threat and hash that identifies it.	Threat name and type. Hash (MD5 and/or SHA-256)
Action	Action taken by Advanced EDR on the item. Quarantined: The file was moved to quarantine. Blocked: The process was blocked before it ran. Deleted: The file was deleted. Detected: The process was detected but not blocked because the advanced protection is configured in Audit mode. Allowed (Audit mode): The user was informed that the malware performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.	Enumeration For more information about how to manage detected threats blocked, see Allowing blocked items to run. See Restoring files from quarantine.
Fields of the Overview section on the Malware Detection page

Field

Description

Values

Threat

Name of the threat and hash that identifies it.

Threat name and type.
Hash (MD5 and/or SHA-256)

Action

Action taken by Advanced EDR on the item.

Quarantined: The file was moved to quarantine.
Blocked: The process was blocked before it ran.
Deleted: The file was deleted.
Detected: The process was detected but not blocked because the advanced protection is configured in Audit mode.
Allowed (Audit mode): The user was informed that the malware performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.

Enumeration

For more information about how to manage detected threats blocked, see Allowing blocked items to run.

See Restoring files from quarantine.

Fields of the Overview section on the Malware Detection page

Affected computer

For more information about the actions you can take on the items found, see Managing threats, items in the process of classification, and quarantine.

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder in the group tree to which the computer belongs.
View available patches	If the Cytomic Patch module is enabled, this button shows all patches and updates that are missing from the computer.
Logged-in user	Operating system user under which the threat was loaded and run.
Detection path	Threat location on the file system.
Fields of the Affected Computer section on the Malware Detection and PUP Detection pages

Threat impact on the computer

Field	Description
Threat	Name of the detected threat and file identification string (hash). Two buttons appear to search for additional information on Google and the VirusTotal website. If the threat is newly discovered, the text New threat appears.
Activity	Summary of the most important actions taken by the malware: Has run Has accessed data files Has exchanged data with other computers View full activity details: Click this button to open the Activity tab described in Action tables. View activity graph: Click this button to view the Activity graph described in Execution graphs.
Detection date	Date when Advanced EDR detected the threat on the customer network.
Dwell time	Time during which the threat was on the customer network without being classified.
Fields of the Threat Impact on the Computer section on the Malware Detection and PUP Detection pages

Infection source

Field	Description
Threat source computer	Name of the computer, if the infection attempt originated from another computer on the customer network.
Threat source IP address	IP address of the computer, if the infection attempt originated from another computer on the customer network.
Threat source user	User that was logged in to the computer the infection originated from.
Fields of the Infection Source section on the Malware Detection and PUP Detection pages

Occurrences on other computers

This section shows all computers on the network where the malware was seen.

Fields	Description
Computer	Computer name.
File path	Name and path of the file that contains the malware.
First seen	Date when the threat was first detected on the relevant computer.
Fields of the Occurrences on Other Computers section on the Malware Detection and PUP Detection pages

Exploit detection

Accessing the Exploit Details page

From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows all available lists.
Select the Exploit activity list.
Set the filters and click the Launch query button. A list opens that shows all items classified as exploits.
From the list, select an item. The Exploit detection page opens.

Or:

From the top menu, select Status. From the side panel, select Security. A page opens that shows all widgets associated with the security module.
Click the Exploit activity widget.
Set the filters and click the Launch query button. A list opens that shows all items classified as exploits.
From the list, select an item. The Exploit detection page opens.

The details page is divided into several sections:

Overview.
Affected computer.
Exploit impact on the computer.

Overview

Field	Description	Values
Compromised program	Name of the program affected by the vulnerability exploit attempt and hash that identifies it.	Path: Path of the program affected by the exploit. Version: Version of the program affected by the exploit. Hash: Hash of the program affected by the exploit (MD5 and/or SHA-256).
Technique	Identifier of the technique used to exploit the program vulnerability.	Link to a description of the technique used by the exploit.
Action	Shows the action taken by Advanced EDR on the program affected by the exploit. Allowed: The anti-exploit protection is configured in Audit mode. The exploit ran. Blocked: The exploit was blocked before it could run. Allowed by the user: The computer user was asked for permission to end the compromised process, but decided to let the exploit run. Process ended: The exploit was deleted but managed to partially run. Pending restart: The user was informed of the need to restart their computer to completely remove the exploit. Meanwhile, the exploit continues to run. Allowed (Audit mode): The user was informed that the malware performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.	Enumeration For more information about how to manage detected threats blocked, see Allowing blocked items to run.
Fields of the Overview section on the Exploit Detection page

Affected computer

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder in the group tree to which the computer belongs.
Logged-in user	Operating system user under which the threat was loaded and run.
Path of the compromised program	Path of the program affected by the vulnerability exploit attempt.
Fields of the Affected Computer section on the Exploit Detection page

Exploit impact on the computer

Field	Description
Compromised program	Path and name of the program file associated with the incident. If Advanced EDR detects that the program is not updated to the latest available version, it shows a warning: Vulnerable program.
Activity	Has run : The exploit managed to run before being detected by Advanced EDR. View full activity details: Click this button to open the Activity tab described in Action tables. View activity graph: Click this button to view the Activity graph described in Execution graphs.
Detection date	Date when Advanced EDR detected the exploit on the customer network.
Possible source of the exploit	Name and path of the program from which the exploit possibly originated.
Fields of the Exploit Impact on the Computer section on the Exploit Detection page

Vulnerable driver

Accessing the Driver Details page

To access the Driver Details page, follow the steps described in Exploit detection. From the Exploit activity list, select an item whose exploit technique is vulnerable driver.

The details page is divided into several sections:

Overview.
Affected computer.
Vulnerable driver.

Overview

Field	Description	Values
Vulnerable driver	Name of the driver that was prevented from loading.	Name of the compromised program. Path: Path of the driver the security software prevented from loading. MD5: MD5 hash of the driver. SHA-256: SHA-256 hash of the driver.
Technique	Identifier of the technique used to exploit the program vulnerability.	Vulnerable driver
Action	Action taken by Advanced EDR on the exploit. Blocked: The exploit was blocked before it could run. Allowed by the user: The computer user was asked for permission to end the compromised process, but decided to let the exploit run. Allowed (Audit mode): The user was informed that the malware performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.	Enumeration For more information about how to manage detected threats blocked, see Allowing blocked items to run.
Fields of the Overview section on the Driver Details page

Affected computer

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder in the group tree to which the computer belongs.
Logged-in user	Operating system user under which the threat was loaded and run.
Driver path	Path of the driver the security software prevented from loading.
Fields of the Affected Computer section on the Driver Details page

Vulnerable driver

Field	Description
Name	Name of the driver the security software prevented from loading.
Activity	Has run : The exploit managed to run before being detected by Advanced EDR. View full activity details: Click this button to open the Activity tab described in Action tables. View activity graph: Click this button to view the Activity graph described in Execution graphs.
Detection date	Date when Advanced EDR detected the exploit on the customer network.
MD5	MD5 hash of the blocked driver.
SHA-256	SHA-256 hash of the blocked driver.
Fields of the Vulnerable Driver section

Block by advanced security policy

Accessing the Block by Advanced Security Policy page

From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows all available lists.
Select the Blocks by advanced security policies list.
Set the filters and click the Launch query button. A list opens that shows all items blocked by advanced security policies.
From the list, select an item. The Block by advanced security policy page opens.

Or:

From the top menu, select Status. From the side panel, select Security. A page opens that shows all widgets associated with the security module.
Click the Detections by advanced security policies widget.
Set the filters and click the Launch query button. A list opens that shows all items blocked by advanced security policies.
From the list, select an item. The Block by advanced security policy page opens.

The details page is divided into several sections:

Overview.
Computer.
Blocked program.

Overview

Field	Description
Blocked program	Name of the blocked program.
Policy applied	Name of the advanced security policy that blocked the program. See Advanced security policies.
Action	Blocked: The process was blocked before it ran. Detected: The process was detected but not blocked because the security policy is configured in Audit mode. Allowed (Audit mode): The user was informed that the process performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.
Fields of the Overview section on the Block by Advanced Security Policy page

Computer

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder in the group tree to which the computer belongs. When you click the computer name, the computer details page opens. See Computer details
Logged-in user	Operating system user under which the threat was loaded and run.
Fields of the Computer section on the Block by Advanced Security Policy page

Field

Description

Computer

Name of the computer where the threat was detected, IP address, and folder in the group tree to which the computer belongs.

When you click the computer name, the computer details page opens. See Computer details

Logged-in user

Operating system user under which the threat was loaded and run.

Fields of the Computer section on the Block by Advanced Security Policy page

Blocked program

Field	Description
Name	Name of the blocked program.
MD5	MD5 hash of the blocked file.
SHA-256	If included in the detection, SHA-256 hash of the blocked program.
Path	Folder where the blocked program is located on the user computer.
Activity	View full activity details: Click this button to open the Activity tab described in Action tables. View activity graph: Click this button to view the Activity graph described in Execution graphs.
Detection date	Date when Advanced EDR blocked the program from running.
Fields of the Blocked Program section on the Block by Advanced Security Policy page

Block of unknown programs in the process of classification and history of blocked programs

Accessing the Blocked Program Details page

From the top menu, select Status. From the side menu, click the Add link. A dialog box opens that shows all available lists.
Select the Currently blocked programs being classified list.
Set the filters and click the Launch query button. A list opens that shows all unknown items in the process of classification.
From the list, select an item. The Blocked program details page opens.
To open the history of unknown programs blocked, click the View history of blocked items link.

Or:

From the top menu, select Status. From the side panel, select Security. A page opens that shows all widgets associated with the security module.
Click the Currently blocked programs being classified widget.
Set the filters and click the Launch query button. A list opens that shows all unknown items in the process of classification.
From the list, select an item. The Blocked program details page opens.

The details page is divided into several sections:

Overview.
Computer.
Program activity on the computer.
Source.

Overview

Field	Description
Program	Name of the blocked program. Point the mouse to the icon to view the MD5 hash and/or SHA-256 hash of the blocked program.
Action	Blocked Reclassified as goodware Reclassified as malware Reclassified as PUP Deleted from list
Likelihood of being malicious	Appears only if the item has not yet been classified. Low Medium High Very high
Classification technique	Classified by WatchGuard lab technicians: The item was classified manually by Cytomic technicians. Classified automatically by WatchGuard Collective Intelligence: The item was classified by Cytomic automatic machine learning processes.
Reclassification completed	Date the item was classified.
Reclassification time	Time it took Advanced EDR to classify the item. When you point the mouse to the icon, the Reclassification start field appears. See Reclassification time calculation for unknown files
Status	Status of the classification process and source of the error if the investigation process could not be completed.
Unblock	Allows the program to run before it is classified. For more information about how to manage detected threats blocked, see Allowing blocked items to run.
Fields of the Overview section on the Blocked Program Details page

Computer

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder in the group tree to which the computer belongs.
Logged-in user	Operating system user under which the threat was loaded and run.
Protection mode	Advanced protection operating mode when the file was blocked (Audit, Hardening, Lock).
Detection path	Path of the blocked program on the workstation or server.
Fields of the Computer section on the Blocked Program Details page

Program activity on the computer

Field	Description
Program	Name of the blocked program.
Activity	Summary of the most important actions taken by the malware: Has run Has accessed data files Has exchanged data with other computers View full activity details: Click this button to open the Activity tab described in Action tables. View activity graph: Click this button to view the Activity graph described in Execution graphs.
Detection date	Date when Advanced EDR blocked the program from running.
Dwell time	Time during which the threat was on the customer network without being classified.
Fields of the Program Activity on the Computer section on the Blocked Program Details page

Source

Field	Description
Source computer	If the file came from another computer on the customer network, this field shows the computer name.
Source IP address	If the file came from another computer on the customer network, this field shows the computer IP address.
Source user	The user who was logged in on the computer the file came from.
Fields of the Source section on the Blocked Program Details page