ZeroLock feature controls to address threats to Endpoints
On the ZeroLock Management Console (ZMC), there are three (3) primary sections involved in alerting of threats to protected endpoints. These sections are the Dashboard, Alerts, and Endpoints, each of which has a menu on the ZMC.
Note: The default configuration profile sets all alert types to Kill & Remediate except for SSH-MFA alerts, which only notify when a successful SSH login occurs.
Dashboard
Clicking anywhere on the line of a ransomware or cryptojacking alert will direct you to the Alert Details page.
Alerts
From the ALERTS screen, there are two (2) avenues with which to react to alerts. There is the primary ACTIONS drop-down menu over the list of alerts. The second is the ACTIONS drop-down, which appears on the same row as the alert.
The primary ACTIONS drop-down menu consists of:
- Kill and Remediate Alert kills the processes involved in the malicious behavior, issues an alert, and then remediates by removing any files created by the malware, removing the malware file(s) themselves, restoring any modified or deleted files, removing attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes (Default setting).
- Kill Alert will stop the processes involved in the malicious behavior and generate an alert. Remediation is NOT automatically done.
- Release Alert releases the process, allowing the system to continue to run. The release function does no file restoration or deletion and should be used when the user believes the alert is a false positive.
- Archive Alert removes an alert from the list. This may be done if the list is getting too long or cluttered. For example, if you do not want to see SSH connection alerts, they can be turned off, but the previous alerts must be archived to be removed from the list.
- Add Allow Rule allows the user to create a rule that permits the process to run and will no longer generate an alert. This is useful for known false positives.
The available actions, those not greyed out, depend on the Response Type setting for the Endpoint. For more information, see Response Type Settings and Alert Generation.
Depending on the Response Type setting, the buttons in the Actions column will be either Kill or Release. Selecting Kill changes the status to KILLED, and a REMEDIATION tab will appear. Clicking that tab engages the remediation process.
Release would be selected for known false positives, or if you wanted the action to continue
Alert Detail: Displays the details of an alert, allowing troubleshooting by reviewing the attack process tree and the file impacted by the malware.
|
Status |
Displays status of the attack - Killed, Remediated, Success, Suspended. |
|
Host |
System’s hostname |
|
Download Link
|
Allows for downloading the alert details in JSON format. |
|
File Tab |
Displays a list of files touched by the malware. Created, modified, or deleted files are listed on this tab. The action column identifies the file interaction, and the Status column displays the file’s status. |
|
Processes Tab - Tree View |
A graphical representation of the attack process tree. Red blocks indicate a high threat rating and are processes associated with the attack. Each block, if clicked on, shows details concerning the individual process. |
|
Processes Tab - List View |
List of processes in the attack thread. |
View after the REMEDIATE process is activated.
For more information on Alert Details, see the Alerts Homepage on the ZeroLock Management Console article.
Endpoints
Under the Active Alerts column is an indicator of the number of alerts on an endpoint. Clicking anywhere on the line of an alert will take you to the details page for that alert, where the appropriate action may be taken.
