1. Vali Cyber Knowledge Base
  2. ZeroLock®
  3. ZeroLock Management Console - ZMC

Handling Threats using the ZeroLock® Management Console

ZeroLock feature controls to address threats to Endpoints

    On the ZeroLock Management Console (ZMC), there are three (3) primary sections involved in alerting of threats to protected endpoints.  These sections are the Dashboard, Alerts, and Endpoints, each of which has a menu on the ZMC.   

    Note:  The default configuration profile sets all alert types to Kill & Remediate except for SSH-MFA alerts, which only notify when a successful SSH login occurs.


    Dashboard

    Clicking anywhere on the line of a ransomware or cryptojacking alert will direct you to the Alert Details page.

    Image_1_Dashboard_v4.2.0-2

     


    Alerts

    From the ALERTS screen, there are two (2) avenues with which to react to alerts. There is the primary ACTIONS drop-down menu over the list of alerts.  The second is the ACTIONS drop-down, which appears in the same row as the alert.

    Image_1_Actions_v4.2.0-1

    The primary ACTIONS drop-down menu consists of:

    1. Kill and Remediate Alert kills the processes involved in the malicious behavior, issues an alert, and then remediates by removing any files created by the malware, removing the malware file(s) themselves, restoring any modified or deleted files, removing attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes (Default setting).
    2. Kill Alert will stop the processes involved in the malicious behavior and generate an alert.  Remediation is NOT automatically done.
    3. Release Alert releases the process, allowing the system to continue to run. The release function does no file restoration or deletion and should be used when the user believes the alert is a false positive.
    4. Archive Alert removes an alert from the list.  This may be done if the list is getting too long or cluttered.  For example, if you do not want to see SSH connection alerts, they can be turned off, but the previous alerts must be archived to be removed from the list.
    5. Add Allow Rule allows the user to create a rule that permits the process to run and will no longer generate an alert.  This is useful for known false positives.
    6. Delete Alert will delete the alert. This is for removing known false positives, improving data retention, clearing clutter from the alerts screen, etc.

    The available actions, those not greyed out, depend on the Response Type setting for the Endpoint.  For more information, see Response Type Settings and Alert Generation.

    Image_2_Kill_v4.2.0-1

    Depending on the Response Type setting, the buttons in the Actions column will be either Kill or Release.  When selecting 'Kill', the tab briefly changes to 'Killing', then to REMEDIATE. Additionally, in the STATUS column, 'DETECTED' will change to KILLED.  Clicking Remediate engages the remediation process.

    Image_3_Killed and Remediate_v4.2.0-1

    Release would be selected for known false positives, or if you wanted the action to continue.

    Alert Details:  Displays the details of an alert, allowing troubleshooting by reviewing the attack process tree and the file impacted by the malware.

    Image_4_Alert Details_v4.2.0-1

    Status

    Displays status of the attack - KilledRemediatedSuccess, Suspended.

    Host

    System’s hostname

    Download Link Download Symbol v3.0.2

     

    Allows for downloading the alert details in JSON format.

    Files Tab

    Displays a list of files touched by the malware. Created, modified, or deleted files are listed on this tab. 

    The action column identifies the file interaction, and the Status column displays the file’s status.

    Processes Tab - Tree View

    A graphical representation of the attack process tree. Red blocks indicate a high threat rating and are processes associated with the attack. Each block, when clicked, shows details concerning the individual process.

    Processes Tab - List View

    List of processes in the attack thread.

     

    View after the REMEDIATE process is activated. Notice that the status of the files has changed from ‘Pending’ to ‘Removed’ or Restored'. 

    Image_5_Remediated_v4.2.0-1

    If you would like more information on Alert Details, you can see the Alerts Homepage on the ZeroLock Management Console article.

     


    Endpoints 

    Under the Active Alerts column is an indicator of the number of alerts on an endpoint. Clicking anywhere on the line of an alert will direct you to the Alert Details page for that alert, where you can take the appropriate action.

    Image_1a_Endpoints_v4.2.0-1