Details of blocked programs

Advanced EDR provides extended details of programs blocked by any of the advanced detection technologies it incorporates:

Malware or PUPs detected.
Exploits detected.
Programs blocked by advanced security policies.
Unknown programs blocked which are in the process of classification.

Malware detection

Access to the Malware Details and PUP Details pages

In the top menu, select Status. In the side menu, click the Add link. A window opens with all available lists.
Select the Malware and PUP activity list.
Set the filters and click the Launch query button. A list of items classified as malware or PUP appears.
Select an item in the list. The Malware detection or PUP detection page opens.

Or:

In the top menu, select Status. In the side panel, select Security. All widgets associated with the security module are shown.
Click the Malware activity or PUP activity widget.
Set the filters and click the Launch query button. A list of items classified as malware or PUP appears.
Select an item in the list. The Malware detection or PUP detection page opens.

The details page is divided into several sections:

Overview.
Affected computer.
Threat impact on the computer.
Infection source.
Occurrences on other computers.

Overview

Field	Description	Values
Threat	Name of the threat and hash that identifies it.	Threat name and type. Hash
Action	Action taken by Advanced EDR on the item. Quarantined: The file was moved to quarantine. Blocked: The process was blocked before it ran. Deleted: The file was deleted. Detected: The process was detected but not blocked because the advanced protection is configured in Audit mode. Allowed (Audit mode): The user was informed that the malware performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.	Enumeration For more information about how to manage detected threats blocked, See Allowing and preventing items to run. See Restoring items from quarantine.
Fields of the Overview section on the Malware Detection page

Field

Description

Values

Threat

Name of the threat and hash that identifies it.

Threat name and type.
Hash

Action

Action taken by Advanced EDR on the item.

Quarantined: The file was moved to quarantine.
Blocked: The process was blocked before it ran.
Deleted: The file was deleted.
Detected: The process was detected but not blocked because the advanced protection is configured in Audit mode.
Allowed (Audit mode): The user was informed that the malware performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.

Enumeration

For more information about how to manage detected threats blocked, See Allowing and preventing items to run.

See Restoring items from quarantine.

Fields of the Overview section on the Malware Detection page

Affected computer

For more information about the actions you can take on the items found, see Managing threats, items in the process of classification, and quarantine.

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder it belongs to in the group tree.
View available patches	If the Cytomic Patch module is enabled, this button shows all patches and updates that are missing from the computer.
Logged-in user	Operating system user under which the threat was loaded and run.
Detection path	Location of the threat on the file system.
Fields of the Affected Computer section on the Malware Detection and PUP Detection pages

Threat impact on the computer

Field	Description
Threat	Name of the detected threat and file identification string (hash). Two buttons are available to search for additional information on Google and the VirusTotal website. If the threat is newly discovered, the text New threat is shown
Activity	Summary of the most important actions taken by the malware: Has run Has accessed data files Has exchanged data with other computers View full activity details: Click this button to open the Activity tab discussed in Action tables. View activity graph: Click this button to display the Activity graph discussed in Execution graphs
Detection date	Date when Advanced EDR detected the threat on the customer network.
Dwell time	Time during which the threat was on the customer network without being classified.
Fields of the Threat Impact on the Computer section on the Malware Detection and PUP Detection pages

Infection source

Field	Description
Threat source computer	Name of the computer, if the infection attempt originated from another computer on the customer network.
Threat source IP address	IP address of the computer, if the infection attempt originated from another computer on the customer network.
Threat source user	User that was logged in on the computer the infection originated from.
Fields of the Infection Source section on the Malware Detection and PUP Detection pages

Occurrences on other computers

Shows all computers on the network where the malware has been seen.

Fields	Description
Computer	Computer name.
File path	Name and path of the file that contains the malware.
First seen	Date when the threat was first detected on the relevant computer.
Fields of the Occurrences on Other Computers section on the Malware Detection and PUP Detection pages

Exploit detection

Access to the Exploit Details page

In the top menu, select Status. In the side menu, click the Add link. A window opens with all available lists.
Select the Exploit activity list.
Set the filters and click the Launch query button. A list of items classified as exploits appears.
Select an item in the list. The Exploit detection page opens.

Or:

In the top menu, select Status. In the side panel, select Security. All widgets associated with the security module are shown.
Click the Exploit activity widget.
Set the filters and click the Launch query button. A list of items classified as exploits appears.
Select an item in the list. The Exploit detection page opens.

The details page is divided into several sections:

Overview.
Affected computer.
Threat impact on the computer.

Overview

Field	Description	Values
Compromised program	Name of the program affected by the vulnerability exploit attempt and hash that identifies it.	Path: Path of the program affected by the exploit. Version: Version of the program affected by the exploit. Hash: Hash of the program affected by the exploit.
Technique	Identifier of the technique used to exploit the program vulnerability.	Link to a description of the technique used by the exploit.
Action	Shows the action taken by Advanced EDR on the program affected by the exploit. Allowed: The anti-exploit protection is configured in Audit mode. The exploit ran. Blocked: The exploit was blocked before it could run. Allowed by the user: The computer user was asked for permission to end the compromised process but decided to let the exploit run. Process ended: The exploit was deleted but managed to partially run. Pending restart: The user was informed of the need to restart their computer to completely remove the exploit. Meanwhile, the exploit continues to run. Allowed (Audit mode): The user was informed that the malware performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.	Enumeration For more information about how to manage detected threats blocked, See Allowing and preventing items to run.
Fields of the Overview section on the Exploit Detection page

Affected computer

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder it belongs to in the group tree.
Logged-in user	Operating system user under which the threat was loaded and run.
Path of the compromised program	Path of the program affected by the vulnerability exploit attempt.
Fields of the Affected Computer section on the Exploit Detection page

Exploit impact on the computer

Field	Description
Compromised program	Name and path of the program that was hit by the exploit attempt. If Advanced EDR detects that the program is not updated to the latest available version, it shows a warning message: Vulnerable program.
Activity	Has run : The exploit managed to run before being detected by Advanced EDR. View full activity details: Click this button to open the Activity tab discussed in Action tables. View activity graph: Click this button to display the Activity graph discussed in Execution graphs.
Detection date	Date when Advanced EDR detected the exploit on the customer network.
Possible source of the exploit	Name and path of the program from which the exploit possibly originated.
Fields of the Exploit Impact on the Computer section on the Exploit Detection page

Block by advanced security policy

Access to the Block by Advanced Security Policy page

In the top menu, select Status. In the side menu, click the Add link. A window opens with all available lists.
Select the Blocks by advanced security policies list.
Set the filters and click the Launch query button. A list of items blocked by advanced security policies appears.
Select an item in the list. The Block by advanced security policy page opens.

Or:

In the top menu, select Status. In the side panel, select Security. All widgets associated with the security module are shown.
Click the Detections by advanced security policies widget.
Set the filters and click the Launch query button. A list of items blocked by advanced security policies appears.
Select an item in the list. The Block by advanced security policy page opens.

The details page is divided into several sections:

Overview.
Computer.
Blocked program.

Overview

Field	Description
Blocked program	Name of the program blocked by the administrator.
Policy applied	Name of the advanced security policy that blocked the program. See Advanced security policies.
Action	Blocked: The process was blocked before it ran. Detected: The process was detected but not blocked because the security policy is configured in Audit mode. Allowed (Audit mode): The user was informed that the process performed suspicious actions. Because Audit mode is enabled, threats are detected, but they are not blocked or removed. See Audit mode.
Fields of the Overview section on the Block by Advanced Security Policy page

Computer

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder it belongs to in the group tree.
Logged-in user	Operating system user under which the threat was loaded and run.
Fields of the Computer section on the Block by Advanced Security Policy page

Blocked program

Field	Description
Name	Name of the blocked program.
MD5	Hash of the blocked file.
Path	Device and folder where the blocked program is located on the user computer.
Activity	View full activity details: Click this button to display the Activity tab discussed in Action tables. View activity graph: Click this button to display the Activity graph discussed in Execution graphs.
Detection date	Date when Advanced EDR blocked the program from running.
Fields of the Blocked Program section on the Block by Advanced Security Policy page

Blocking of unknown programs in the process of classification and history of blocked programs

Access to the Blocked Program Details page

In the top menu, select Status. In the side menu, click the Add link. A window opens with all available lists.
Select the Currently blocked programs being classified list.
Set the filters and click the Launch query button. A list of unknown items in the process of classification appears.
Select an item in the list. The Blocked program details page opens.
To open the history of unknown programs blocked, click the View history of blocked items link.

Or:

In the top menu, select Status. In the side panel, select Security. All widgets associated with the security module are shown.
Click the Currently blocked programs being classified widget.
Set the filters and click the Launch query button. A list of unknown items in the process of classification appears.
Select an item in the list. The Blocked program details page opens.

The details page is divided into several sections:

Overview.
Computer.
Program activity on the computer.
Source.

Overview

Field	Description
Program	Name of the blocked program.
Action	Blocked
Likelihood of being malicious	Low Medium High Very high
Status	Status of the classification process and source of the error if the investigation process could not be completed.
Unblock	Allows the program to run before it is classified. For more information about how to manage detected threats blocked, See Allowing and preventing items to run.
Fields of the Overview section on the Blocked Program Details page

Computer

Field	Description
Computer	Name of the computer where the threat was detected, IP address, and folder it belongs to in the group tree.
Logged-in user	Operating system user under which the threat was loaded and run.
Protection mode	Operating mode of the advanced protection when the file was blocked (Audit, Hardening, Lock).
Detection path	Path to the blocked program on the workstation or server.
Fields of the Computer section on the Blocked Program Details page

Program activity on the computer

Field	Description
Program	Name of the blocked program.
Activity	Summary of the most important actions taken by the malware: Has run Has accessed data files Has exchanged data with other computers View full activity details: Click this button to display the Activity tab discussed in Action tables. View activity graph: Click this button to display the Activity graph discussed in Execution graphs.
Detection date	Date when Advanced EDR blocked the program from running.
Dwell time	Time during which the threat was on the customer network without being classified.
Fields of the Program Activity on the Computer section on the Blocked Program Details page

Source

Field	Description
Source computer	If the file came from another computer on the customer network, this field indicates the computer name.
Source IP address	If the file came from another computer on the customer network, this field indicates the computer IP address.
Source user	The user who was logged in on the computer the file came from.
Fields of the Source section on the Blocked Program Details page