Handling Threats using the ZeroLock® Management Console

ZeroLock feature controls to address threats to Endpoints

    On the ZeroLock Management Console, or ZMC, there are three (3) primary sections involved in alerting of threats to protected endpoints.  These sections are the Dashboard, Alerts, and Endpoints, each of which has a menu on the ZMC.   

    Note:  The default configuration profile sets all alert types to Kill & Remediate except for SSH-MFA alerts which only notify when a successful SSH login occurs.


    Clicking the text in the INFO column for a ransomware or cryptojacking alert will take you to the alerts detail page.

    Info Column on Main Page_2.0.1



    From this screen, the user has two avenues with which to react to alerts.  There is the primary ACTIONS drop-down menu over the list of alerts.  The second is the ACTIONS drop-down which appears on the same row as the alert.

    Actions drop downs

    The primary ACTIONS drop-down menu consists of:

    1. Kill and Remediate Alert kills the processes involved in the malicious behavior, issues an alert, and then remediates by removing any files created by the malware, removes the malware file(s) themselves, restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes (Default setting).
    2. Kill Alert will stop the processes involved in the malicious behavior and an alert is generated.  Remediation is NOT automatically done.
    3. Release Alert releases the process and allows the system to continue to run. The release function does no file restoration or deletion and should be used when the user believes the alert is a false positive.
    4. Archive Alert  removes an alert from from the list.  This may be done if the list is getting too long or cluttered.  For example, if you do not want to see SSH connection alerts, they can be turned off but the previous alerts must be archived to remove get them off the list.
    5. Add Allow Rule lets the user create a rule that will allow the process to run and will no longer generate an alert.  This is useful for known false positives.

    The available actions, those not greyed out, depend on the Response Type setting for the Endpoint.  For more information on this please see Response Type Settings and Alert Generation.


    Alert view with Suspend-1

    Again, depending on the Response Type setting, the buttons in the Actions column will be either Kill & Remediate  with the Actions drop-down menu or just Actions.  Selecting Kill changes the status to KILLED and a REMEDIATION tab will appear.  Clicking that tab engages the remediation process.

    Alert Killed with Remediate

    Alert Detail:   Displays the details of an alert allowing troubleshooting by reviewing the attack process tree and the file touched by the malware.

    Alert Detail Page


    Displays status of the attack - KilledRemediatedSuccess, Suspended.


    System’s host name

    Download Link Download Symbol v3.0.2


    Allows for downloading the alert details in JSON format.

    File Tab

    Displays a list of files touched by the malware. Created, modified, or deleted files are listed on this tab. 

    The action column identifies the file interaction, and the Status column displays the file’s current status.

    Processes Tab - Tree View

    Graphical representation of the attack process tree. Red blocks indicate a high threat rating and are processes associated with the attack. Each block, if clicked on, shows details concerning the individual process.

    Processes Tab - List View

    List of processes in the attack thread.

    For additional information on Alert Details please see the Alerts Homepage on the ZeroLock Management Console article.



    This page lists running endpoints and allows for endpoint management.

    Endpoint Screen


    Actions and Descriptions

    Add Groups to or Remove From Groups

    Endpoint groups are used to limit user access and functionality to an endpoint. This option allows a user to add or remove an endpoint to/from a defined group or groups.

    Set Endpoint Configs

    This option allows a single configuration profile to be assigned to an endpoint. Configuration profiles define how Tyr handles identified malware and what the assigned user role can manage.

    Update Agent Version

    This option allows a ZeroLock user to update or return to a recent version of the running endpoint version.

    Re-Install Agent Version

    This will re-install the current version running on the endpoint. 

    Deactivate Endpoint Protection

    Turns off Baldur, leaving Tyr active. With Baldur off, ZeroLock's defenses are no longer active. When pressing deactivate, customers should expect the status icon to go red for a moment then yellow until the protection is reactivated. The user can still access the in-UI shell in this state, but the system is totally unprotected. (NOTE:  This does a process restart for all monitored processes)

    Activate Endpoint Protection

    Turns on Baldur, activating ZeroLock and protecting the system from attack. All functionality is available in this state.

    Uninstall Endpoint Agent

    Deactivates ZeroLock protection and completely uninstalls both Baldur and Tyr from the system. 

    Archive Endpoints

    This option allows the user to archive an endpoint that is no longer running. To archive an endpoint, Tyr must be stopped or removed.

    Quarantine Endpoints

    This option allows a user to network quarantine an endpoint manually for an allotted about of time (seconds). Network quarantine stops all network communications to and from the endpoint, except with the collector IP address.

    Unquarantine Endpoints

    This option allows a user to enable the networking on a quarantined endpoint. An endpoint could be manually or automatically quarantined based on malware detection defined by the configuration policy.

    Copy Endpoint Installation Link

    This option allows the user to get the installation script.  This is the same script that is available on the Deploy page.