List of allowed threats and unknown programs

You have multiple panels and lists available to get information about programs that were initially blocked by Advanced EPDR and then allowed to run:

  • The Detected items allowed by the administrator panel.

  • The Detected items allowed by the administrator list.

  • The History of items allowed by the administrator list.

Detected items allowed by the administrator

Shows the items that Advanced EPDR initially blocked, but you later allowed to run. These items were considered threats or unknown and being classified.

Detected items allowed by the administrator panel

Meaning of the data displayed

The panel shows the total number of items excluded from blocking, broken down by type:

  • Malware

  • PUP

  • Being classified

  • Exploit

  • Network Attack

Lists accessible from the panel

Hotspots in the Detected items allowed by the administrator panel

Click the hotspots in Hotspots in the Detected items allowed by the administrator panel to open the Programs allowed by the administrator list list with the following predefined filters:

Hotspot Filter

(1)

No filters.

(2)

Classification = Malware.

(3)

Classification = PUP.

(4)

Classification = Being classified (blocked and suspicious items).

(5)

Classification = Exploit.

(6)

Classification = Network Attack.

Filters available in the Programs allowed by the administrator list

Programs allowed by the administrator list

Detected items allowed by the administrator list

Shows all the items that are considered threats and you allowed to run.

Field Description Values

Classification

Type of threat that was allowed to run.

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Being classified

  • Network Attack

Threat

Name of the item that was allowed to run.

  • If it is an unknown item, the field is empty.

  • If it is an exploit, the exploit technique used is shown.

  • If it is a network attack, the type is specified.

Character string

Details

Name of the file containing the threat.

  • If it is an unknown item, the column shows the name of the file being classified.

  • If it is an exploit, the column shows the exploited file’s name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Hash

String identifying the file.

This is empty if it is an exploit or network attack.

Character string

User name

Console user account that added the exclusion of the item.

Character string

Date allowed

Date the event took place.

Date

Delete

Remove the exclusion of the item.

 

Fields in the Programs allowed by the administrator list

Fields displayed in the exported file
Field Description Values
Details

Name of the file containing the threat.

  • If it is an unknown item, the column shows the name of the file being classified.

  • If it is an exploit, the column shows the exploited file’s name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Current type

Current classification of the threat that has been allowed to run.

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Being classified

  • Network Attack

Original type

Classification of the threat that has been allowed to run when it was first detected.

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Being classified

  • Network Attack

Threat

Name of the item that was allowed to run.

  • If it is an unknown item, the field is empty.

  • If it is an exploit, the exploit technique used is shown.

  • If it is a network attack, the type is specified.

Character string

Hash

String identifying the file.

This is empty if it is an exploit or network attack.

Character string

User name

User account which triggered the change to the allowed file.

Character string

Date allowed

Date the event was logged.

Date

Fields in the Programs allowed by the administrator exported file

Filter tool
Field Description Values

Search

  • Details: Details of the threat.

  • Threat: Name of the threat detected.

  • User name: Console user account that added the exclusion of the item.

  • Hash: String identifying the file.

Enumeration

Classification

Type of file the last time it was classified.

  • All

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Network Attack

  • Being classified (blocked and suspicious items)

Original classification

Original classification of the file when it was allowed to run.

  • All

  • Malware

  • PUP

  • Being classified (blocked item)

  • Being classified (suspicious item)

  • Exploit

  • Network Attack

Filters available in the Programs allowed by the administrator list

History of items allowed by the administrator list

Shows a history of all events that have occurred over time regarding threats and unknown files in the process of classification which you allowed to run. This list shows all the classifications that an item has gone through, from the time it entered the Detected items allowed by the administrator list until it left it, as well as all other classifications caused by Advanced EPDR or by you.

This list does not have a corresponding panel, and can only be accessed through the History button, in the upper-right corner of the Detected items allowed by the administrator page.

Field Description Values

Classification

Type of threat that has been allowed to run.

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Being classified

  • Network Attack

Threat

Name of the item that was allowed to run.

  • If it is an unknown item, the field is empty.

  • If it is an exploit, the exploit technique used is shown.

  • If it is a network attack, the type is specified.

Character string

Details

Name of the file containing the threat.

  • If it is an unknown item, the column shows the name of the file being classified.

  • If it is an exploit, the column shows the exploited file’s name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Hash

String identifying the file.

This is empty if it is an exploit or network attack.

Character string

Action

Action taken on the allowed item.

  • Exclusion removed by the user: You allowed the item to be blocked again.

  • Exclusion removed after reclassification:Advanced EPDR applied the action associated with the category after reclassification.

  • Exclusion added by the user: You allowed the item to be run.

  • Exclusion kept after reclassification: Advanced EPDR did not block the item after reclassification.

Enumeration

User name

User account which triggered the change to the allowed file.

Character string

Date allowed

Date the event was logged.

Date

Fields in the History of programs allowed by the administrator list

Fields displayed in the exported file
Field Description Values
Details

Name of the file containing the threat.

  • If it is an unknown item, the column shows the name of the file being classified.

  • If it is an exploit, the column shows the exploited file’s name.

  • In the case of a network attack, you can see the source IP addresses from which the type of attack is allowed.

Character string

Current type

Current classification of the threat that has been allowed to run.

  • Malware

  • PUP

  • Exploit

  • Blocked item

  • Suspicious item

  • Network Attack

Original type

Classification of the threat that has been allowed to run when it was first detected.

  • Malware

  • PUP

  • Exploit

  • Blocked item

  • Suspicious item

  • Network Attack

Threat

Name of the malware or PUP that was allowed to run.

If it is an unknown item, the column shows the file’s name instead. If it is an exploit or network attack, the exploit technique used is specified.

Character string

Hash

String identifying the file.

If it is an exploit or network attack, this field is blank.

Character string

Action

Action taken on the allowed item.

  • Exclusion removed by the user: You allowed the item to be blocked again.

  • Exclusion removed after reclassification: Advanced EPDR applied the action associated with the category after reclassification.

  • Exclusion added by the user: You allowed the item to be run.

  • Exclusion kept after reclassification: Advanced EPDR did not block the item after reclassification.

Enumeration

User name

Console user account that added the exclusion of the item.

Character string

Date allowed

Date the event took place.

Date

Fields in the History of items allowed by the administrator exported file

Filter tool
Field Description Values

Search

  • Details: Details of the threat.

  • User name: Console user account that added the exclusion of the item.

  • Hash: String identifying the file.

Enumeration

Classification

Type of file the last time it was classified.

  • All

  • Malware

  • PUP

  • Goodware

  • Exploit

  • Network Attack

  • Being classified (blocked and suspicious items)

Original classification

Original classification of the file when it was allowed to run.

  • All

  • Malware

  • PUP

  • Being classified (blocked item)

  • Being classified (suspicious item)

  • Exploit

  • Network Attack

Action

Action taken on the allowed item.

  • Exclusion removed by the user: You allowed the item to be blocked again.

  • Exclusion removed after reclassification: Advanced EPDR applied the action associated with the category after reclassification.

  • Exclusion added by the user: You allowed the item to be run.

  • Exclusion kept after reclassification: Advanced EPDR did not block the item after reclassification.

Enumeration

Filters available in the History of items allowed by the administrator list