Information about blocked items in the process of classification
You have multiple panels and lists available to get information about blocked programs in the process of classification:
-
The Currently blocked programs being classified panel.
-
The Currently blocked programs being classified list.
-
The History of blocked programs list.
Additionally, you can perform maintenance actions from the Currently blocked programs being classified list, removing programs that Advanced EDR cannot analyze for a number or reasons. See Removing unknown processes from lists.
Currently blocked programs being classified panel
This panel shows all blocked items that have not yet been classified from the time the service was activated until the present time.
The threats copied from computers on the network show the IP address of the computer from which an infection originated, as well as the number of times that IP address was the source of a detection (in parentheses). To open the Malware Activity list, click the IP address. See Malware/PUP activity.
Advanced EDR reports incidents in the Currently Blocked Programs Being Classified panel when it detects the execution of a program that has not yet been classified.
To prevent too many detections of the same program in the console, Advanced EDR reports a maximum of one incident every 24 hours for each hash found on each computer.
This widget is not affected by the time period you select in the Status top menu, Security side panel.
Each blocked program in the process of classification is represented by a circle with these characteristics:
-
Each blocked item with a different hash is represented with a circle.
-
The color of the circle represents the risk level temporarily assigned to the item.
-
The size of the circle represents the number of different computers where the blocked unknown program tried to run. The size does not represent the number of execution attempts on the computers on the network.
-
The number of programs that could not be sent to the Cytomic cloud for analysis is specified.
Meaning of the data displayed
Blocked applications have one of these colors:
| Data | Description |
|---|---|
|
Orange |
Applications with a medium probability of being malware. |
|
Dark orange |
Applications with a high probability of being malware. |
|
Red |
Applications with a very high probability of being malware. |
|
Blocked programs |
Total number of different applications blocked. |
|
Programs that could not be obtained for classification |
Total number of blocked programs where an error occurred when the solution tried to classify them. |
|
Threats copied from computers on the network |
IP address of the computer from which an infection originated, and number of times that IP address was the source of a detection. |
When you point the mouse to a circle, the circle expands, showing the full name of the item and a series of icons representing key actions:
-
Folder: The program read data from the user hard disk.
-
Globe: The program connected to another computer.
Lists accessible from the panel
Click the hotspots shown in Hotspots in the Currently Blocked Programs Being Classified panel to open the Currently blocked programs being classified list with these predefined filters:
| Hotspot | Filter |
|---|---|
|
(1) |
No filter. |
|
(2) |
Search = Hash. |
|
(3) |
Status = Couldn’t get the file |
Currently blocked programs being classified list
This list shows a table with all blocked files that are not yet classified.
| Field | Comment | Values |
|---|---|---|
|
Computer |
Name of the computer where the unknown file was found. |
Character string |
|
Path |
Name and location of the unknown file on the user computer. |
Character string |
|
Accessed data |
The unknown file accessed data on the user computer. |
Boolean |
|
Made external connections |
The unknown file communicated with remote computers to send or receive data. |
Boolean |
|
Protection mode |
Operating mode of the advanced protection when the unknown file was detected. |
|
|
Likelihood of being malicious |
Likelihood that the unknown item is actually malware. |
|
|
Status |
Classification process status:
|
Enumeration |
|
Date |
Date the unknown file was first seen. |
Date |
Fields displayed in the exported file
The context menu of the Currently blocked programs being classified list shows a drop-down menu with two options: Export and Export list and details. This section describes the content of the file generated when you select Export. For more information about the Export list and details option, see Exported Excel files.
| Field | Comment | Values |
|---|---|---|
|
Computer |
Name of the computer where the unknown file was found. |
Character string |
|
Threat |
Name of the unknown file. |
Character string |
|
Path |
Name and location of the unknown file on the user computer. |
Character string |
|
Protection mode |
Operating mode of the protection when the unknown file was detected. |
|
|
Accessed data |
The unknown file accessed files on the user computer. |
Boolean |
|
External connections |
The unknown file communicated with remote computers to send or receive data. |
Boolean |
|
Likelihood of being malicious |
Likelihood that the unknown item is actually a threat when the classification process is completed. |
|
|
Date |
Date the unknown file was first seen. |
Date |
|
Period of time during which the threat was on the customer network without being classified. |
Date |
|
|
User |
Character string |
|
|
MD5 |
MD5 hash of the file. |
Character string |
|
SHA-256 |
SHA-256 hash of the file. |
Character string |
|
Threat source computer |
Name of the computer, if the blocked program came from another computer on the customer network. |
Character string |
|
Threat source IP address |
IP address of the computer, if the blocked program came from another computer on the customer network. |
Character string |
|
Threat source user |
The user who was logged in on the computer that the blocked program came from, if applicable. |
Character string |
|
Status |
Classification process status:
|
Enumeration |
Filter tool
| Field | Comment | Values |
|---|---|---|
|
Dates |
Set a time period, from the present time back. |
|
|
Search |
|
Enumeration |
|
Protection modes |
Operating mode of the advanced protection when the unknown file was detected. |
|
|
Accessed data |
The unknown file accessed data on the user computer. |
Boolean |
|
External connections |
The unknown file communicated with remote computers to send or receive data. |
Boolean |
|
Status |
Classification process status:
|
Enumeration |
Details page
This page shows detailed information about the blocked program. See Blocked program details for unknown programs under classification and history of blocked programs.
History of blocked programs list
This list shows a history of all events that have occurred over time regarding unknown processes blocked.
This list does not have an associated panel on the dashboard. To access it, click the View history of blocked items link in the upper-right corner of the Currently blocked programs being classified list page.
| Field | Comment | Values |
|---|---|---|
|
Computer |
Name of the computer where the unknown file was found. |
Character string |
|
Path |
Name and location of the unknown file on the user computer. |
Character string |
|
Action |
Action taken by Advanced EDR. |
|
|
Accessed data |
The unknown file accessed data on the user computer. |
Boolean |
|
Made external connections |
The unknown file communicated with remote computers to send or receive data. |
Boolean |
|
Protection mode |
Operating mode of the advanced protection when the unknown file was detected. |
|
|
Excluded |
The unknown file was unblocked/excluded by you, allowing it to run. |
Boolean |
|
Likelihood of being malicious |
Likelihood that the unknown item is actually a threat when the classification process is completed. |
|
|
Date |
Date the unknown file was first seen. |
Date |
Fields displayed in the exported file
The context menu of the History of blocked programs list shows a drop-down menu with two options: Export and Export list and details. This section describes the content of the file generated when you select Export. For more information about the Export list and details option, see Exported Excel files
| Field | Comment | Values |
|---|---|---|
|
Computer |
Name of the computer where the unknown file was found. |
Character string |
|
Threat |
Name of the unknown file. |
Character string |
|
Path |
Location of the unknown file on the user computer. |
Character string |
|
Protection mode |
Operating mode of the advanced protection when the unknown file was detected. |
|
|
Action |
Action taken by Advanced EDR. |
|
|
Accessed data |
The unknown file accessed data on the user computer. |
Boolean |
|
External connections |
The unknown file communicated with remote computers to send or receive data. |
Boolean |
|
Excluded |
The unknown file was unblocked by you, allowing it to run. |
Boolean |
|
Likelihood of being malicious |
Likelihood that the unknown item is actually a threat when the classification process is completed. |
|
|
Date |
Date the unknown file was first seen. |
Date |
|
Dwell time |
Period of time during which the threat was on the customer network without being classified. |
Date |
|
User |
User account under which the program was run. |
Character string |
|
MD5 |
MD5 hash of the file. |
Character string |
|
SHA-256 |
SHA-256 hash of the file. |
Character string |
|
Threat source computer |
Name of the computer the blocked program came from, if applicable. |
Character string |
|
Threat source IP address |
IP address of the computer the blocked program came from, if applicable. |
Character string |
|
Threat source user |
The user that was logged in on the computer the blocked program came from, if applicable. |
Character string |
Filter tool
| Field | Comment | Values |
|---|---|---|
|
Search |
|
Enumeration |
|
Dates |
Set a time period, from the present time back. |
|
|
Action |
Action taken by Advanced EDR. |
|
|
Excluded |
The unknown file was unblocked by you, allowing it to run. |
Boolean |
|
Protection modes |
Operating mode of the advanced protection when the unknown file was detected. |
|
|
Accessed data |
The unknown file accessed data on the user computer. |
Boolean |
|
External connections |
The unknown file communicated with remote computers to send or receive data. |
Boolean |
Details page
This page shows detailed information about the blocked program. For more information, see Block by advanced security policy.
Removing unknown processes from lists
Unknown processes show in the Currently blocked programs being classified panel widget until Advanced EDR has analyzed them. Sometimes it is not possible to complete the analysis because the file is too large (larger than 50 MB) or no longer available on the user computer. When this happens, unknown files continue to display in the Currently blocked programs being classified widget.
To remove unknown files from the blocked file widget and list:
-
From the top menu, select Status. From the side menu, select Security. Click the Currently blocked programs being classified widget. The Currently blocked programs being classified list opens.
Or
-
From the top menu, select Status. From the My lists side menu, click Add. A dialog box opens and shows the available lists.
-
Select the Currently blocked programs being classified list.
-
Select the checkboxes for the files you want to remove from the list. In the toolbar, click Delete. A confirmation dialog box opens.
-
Click Delete. The deleted items appear in the History of blocked programs list with the Action field updated to show Deleted from list. These files cannot be unblocked.
You can delete a blocked program that is in the process of classification to simplify the list. Internally, Advanced EDR continues to consider these items as unknown. If an attempt is made to run them again, they reappear in the Currently blocked programs being classified widget and list