ZeroLock feature controls to address threats to Endpoints
On the ZeroLock Management Console (ZMC) there are three (3) primary sections involved in alerting of threats to protected endpoints. These sections are the Dashboard, Alerts, and Endpoints, each of which has a menu on the ZMC.
Note: The default configuration profile sets all alert types to Kill & Remediate except for SSH-MFA alerts which only notify when a successful SSH login occurs.
Dashboard
Clicking the text in the INFO column for a ransomware or cryptojacking alert will take you to the alerts detail page.
Alerts
From the ALERTS screen, there are two (2) avenues with which to react to alerts. There is the primary ACTIONS drop-down menu over the list of alerts. The second is the ACTIONS drop-down which appears on the same row as the alert.
The primary ACTIONS drop-down menu consists of:
- Kill and Remediate Alert kills the processes involved in the malicious behavior, issues an alert, and then remediates by removing any files created by the malware, removing the malware file(s) themselves, restoring any modified or deleted files, removing attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes (Default setting).
- Kill Alert will stop the processes involved in the malicious behavior and generate an alert. Remediation is NOT automatically done.
- Release Alert releases the process and allows the system to continue to run. The release function does no file restoration or deletion and should be used when the user believes the alert is a false positive.
- Archive Alert removes an alert from the list. This may be done if the list is getting too long or cluttered. For example, if you do not want to see SSH connection alerts, they can be turned off but the previous alerts must be archived to be removed from the list.
- Add Allow Rule lets the user create a rule that will allow the process to run and will no longer generate an alert. This is useful for known false positives.
The available actions, those not greyed out, depend on the Response Type setting for the Endpoint. For more information on this please see Response Type Settings and Alert Generation.
Depending on the Response Type setting, the buttons in the Actions column will be either Kill & Remediate with the Actions drop-down menu or just Actions. Selecting Kill changes the status to KILLED and a REMEDIATION tab will appear. Clicking that tab engages the remediation process.
Alert Detail: Displays the details of an alert allowing troubleshooting by reviewing the attack process tree and the file touched by the malware.
|
Status |
Displays status of the attack - Killed, Remediated, Success, Suspended. |
|
Host |
System’s hostname |
|
Download Link
|
Allows for downloading the alert details in JSON format. |
|
File Tab |
Displays a list of files touched by the malware. Created, modified, or deleted files are listed on this tab. The action column identifies the file interaction, and the Status column displays the file’s status. |
|
Processes Tab - Tree View |
A graphical representation of the attack process tree. Red blocks indicate a high threat rating and are processes associated with the attack. Each block, if clicked on, shows details concerning the individual process. |
|
Processes Tab - List View |
List of processes in the attack thread. |
View after the REMEDIATE process is activated.
For additional information on Alert Details please see the Alerts Homepage on the ZeroLock Management Console article.
Endpoints
This page lists running endpoints and allows for endpoint management.
Actions and Descriptions
|
Add Groups to or Remove From Groups |
Endpoint groups are used to limit user access and functionality to an endpoint. This option allows users to add or remove an endpoint to/from a defined group or groups. |
|
Set Endpoint Configs |
This option allows a single configuration profile to be assigned to an endpoint. Configuration profiles define how Tyr handles identified malware and what the assigned user role can manage. |
|
Update Agent Version |
This option allows a ZeroLock user to update or return to a recent version of the running endpoint. |
|
Re-Install Agent Version |
This will re-install the current version running on the endpoint. |
|
Deactivate Endpoint Protection |
Turns off Baldur, leaving Tyr active. With Baldur off, ZeroLock's defenses are no longer active. When pressing deactivate, customers should expect the status icon to go red momentarily and then yellow until the protection is reactivated. The user can still access the in-UI shell in this state, but the system is unprotected. (NOTE: This does a process restart for all monitored processes) |
|
Activate Endpoint Protection |
Turns on Baldur, activating ZeroLock and protecting the system from attack. All functionality is available in this state. |
|
Uninstall Endpoint Agent |
Deactivates ZeroLock protection and completely uninstalls both Baldur and Tyr from the system. |
|
Archive Endpoints |
This option allows the user to archive an endpoint that is no longer running. To archive an endpoint, Tyr must be stopped or removed. |
|
Quarantine Endpoints |
This option allows a user to manually network quarantine an endpoint for an allotted time (seconds). Network quarantine stops all network communications to and from the endpoint, except with the collector IP address. |
|
Unquarantine Endpoints |
This option allows a user to enable the networking on a quarantined endpoint. An endpoint could be manually or automatically quarantined based on malware detection defined by the configuration policy. |
|
Copy Endpoint Installation Link |
This option allows the user to get the installation script. This is the same script that is available on the Deploy page. |