List of allowed threats and unknown programs

You have multiple panels and lists available to get information about programs that you allow which Advanced EDR initially prevented from running:

  • The Detected items allowed by the administrator panel.

  • The Detected items allowed by the administrator list.

  • The History of items allowed by the administrator list.

Detected items allowed by the administrator

This panel shows the number of items the administrator allows which Advanced EDR initially prevented from running. These items were considered a threat or are unknown files under classification.

Panel Elementos detectados permitidos por el administrador

Meaning of the data displayed

The panel shows the total number of items excluded from blocking, broken down by type:

  • Malware

  • PUPs

  • Being classified

  • Exploits and drivers

  • Network attacks

Lists accessible from the panel

Zonas activas del panel Elementos detectados permitidos por el administrador

Click the hotspots in Zonas activas del panel Elementos detectados permitidos por el administrador to open the Detected items allowed by the administrator list list with these predefined filters:

Hotspot Filter

(1)

No filters.

(2)

Classification = Malware.

(3)

Classification = PUP.

(4)

Classification = Being classified (blocked and suspicious items).

(5)

Classification = Exploits and drivers

(6)

Classification = Network attack.

Filters available in the Programs Allowed by the Administrator list

Detected items allowed by the administrator list

This list shows all items the administrator allows which Advanced EDR considered a threat.

Field Description Values

Classification

Type of threat that is allowed to run.

  • Malware

  • PUP

  • Goodware

  • Exploits and drivers

  • Being classified

  • Network attack

Threat

Name of the item that is allowed to run.

  • If it is an unknown item, the field is empty.

  • If it is an exploit, the exploit technique used appears.

  • If it is a network attack, the type appears.

Character string

Details

Name of the file that contains the threat.

  • If it is an unknown item, the column shows the name of the file under classification.

  • If it is an exploit, the column shows the exploited file name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Hash

String that identifies the file.

This is empty if it is an exploit or network attack.

Character string

User name

Console user account that added the item exclusion.

Character string

Date allowed

Date the event took place.

Date

Delete

Removes the item exclusion.

  

Fields in the Detected Items Allowed by the Administrator list
Fields displayed in the exported file
Field Description Values

Details

Name of the file that contains the threat.

  • If it is an unknown item, the column shows the name of the file under classification.

  • If it is an exploit, the column shows the exploited file name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Current type

Current classification of the threat that is allowed to run.

  • Malware

  • PUP

  • Goodware

  • Exploits and drivers

  • Being classified

  • Network attack

Original type

Classification of the threat that is allowed to run when it was initially detected.

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Being classified

  • Network attack

Threat

Name of the item that is allowed to run.

  • If it is an unknown item, the field is empty.

  • If it is an exploit, the exploit technique used appears.

  • If it is a network attack, the type appears.

Character string

Hash

String that identifies the file.

This is empty if it is an exploit or network attack.

Character string

User name

User account which triggered the change to the allowed file.

Character string

Date allowed

Date the event was logged.

Date

Fields in the Programs Allowed by the Administrator exported file
Filter tool
Field Description Values

Search

  • Details: Details of the threat.

  • Threat: Name of the threat detected.

  • User name: Console user account that added the item exclusion.

  • Hash: String that identifies the file.

Enumeration

Classification

File type the last time it was classified.

  • All

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Network attack

  • Being classified (blocked and suspicious items)

Original classification

Original classification of the file when it was allowed to run.

  • All

  • Malware

  • PUP

  • Being classified (blocked item)

  • Being classified (suspicious item)

  • Exploit

  • Network attack

Filters available in the Programs Allowed by the Administrator list

History of items allowed by the administrator list

This list shows a history of all events related to threats and unknown files in the process of classification that the administrator allowed to run. This list shows all classifications that an item has gone through, from the time it entered the Detected items allowed by the administrator list until it left it, as well as all other classifications caused by Advanced EDR or by you.

This list does not have a corresponding panel. You must access it through the History button in the upper-right corner of the Detected items allowed by the administrator page.

Field Description Values

Classification

Type of threat that is allowed to run.

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Being classified

  • Network attack

Threat

Name of the item that is allowed to run.

  • If it is an unknown item, the field is empty.

  • If it is an exploit, the exploit technique used appears.

  • If it is a network attack, the type appears.

Character string

Details

Name of the file that contains the threat.

  • If it is an unknown item, the column shows the name of the file under classification.

  • If it is an exploit, the column shows the exploited file name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Hash

String that identifies the file.

This is empty if it is an exploit or network attack.

Character string

Action

Action taken on the allowed item.

  • Exclusion removed by the user: You allowed the item to be blocked again.

  • Exclusion removed after reclassification: Advanced EDR applied the action associated with the category after reclassification.

  • Exclusion added by the user: You allowed the item to be run.

  • Exclusion kept after reclassification: Advanced EDR did not block the item after reclassification.

Enumeration

User name

User account which triggered the change to the allowed file.

Character string

Date allowed

Date the event was logged.

Date

Fields in the History of Programs Allowed by the Administrator list
Fields displayed in the exported file
Field Description Values

Details

Name of the file that contains the threat.

  • If it is an unknown item, the column shows the name of the file under classification.

  • If it is an exploit, the column shows the exploited file name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Current type

Current classification of the threat that is allowed to run.

  • Malware

  • PUP

  • Exploit

  • Blocked item

  • Suspicious item

  • Network attack

Original type

Classification of the threat that is allowed to run when it was initially detected.

  • Malware

  • PUP

  • Exploit

  • Blocked item

  • Suspicious item

  • Network attack

Threat

Name of the malware or PUP that is allowed to run.

If it is an unknown item, the column shows the file name. If it is an exploit or network attack, the exploit technique used appears.

Character string

Hash

String that identifies the file.

If it is an exploit or network attack, this field is blank.

Character string

Action

Action taken on the allowed item.

  • Exclusion removed by the user: You allowed the item to be blocked again.

  • Exclusion removed after reclassification: Advanced EDR applied the action associated with the category after reclassification.

  • Exclusion added by the user: You allowed the item to be run.

  • Exclusion kept after reclassification: Advanced EDR did not block the item after reclassification.

Enumeration

User name

Console user account that added the item exclusion.

Character string

Date allowed

Date the event took place.

Date

Fields in the History of Items Allowed by the Administrator exported file
Filter tool
Field Description Values

Search

  • Details: Details of the threat.

  • User name: Console user account that added the item exclusion.

  • Hash: String that identifies the file.

Enumeration

Classification

File type the last time it was classified.

  • All

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Network attack

  • Being classified (blocked and suspicious items)

Original classification

Original classification of the file when it was allowed to run.

  • All

  • Malware

  • PUP

  • Being classified (blocked item)

  • Being classified (suspicious item)

  • Exploit

  • Network attack

Action

Action taken on the allowed item.

  • Exclusion removed by the user: You allowed the item to be blocked again.

  • Exclusion removed after reclassification: Advanced EDR applied the action associated with the category after reclassification.

  • Exclusion added by the user: You allowed the item to be run.

  • Exclusion kept after reclassification: Advanced EDR did not block the item after reclassification.

Enumeration

Filters available in the History of Items Allowed by the Administrator list