How Response Type Settings Effect Alert Generation
A key feature in ZeroLock's Alert functionality is Configuration Profiles which allows the ZeroLock® Management Console (ZMC) administrators to control ZeroLock Agent behavior on protected Endpoints. Using Configuration Profiles, administrators can fine-tune settings for Ransomware, Cryptojacking, Tampering, and HASH protection.
A key setting in determining how ZeroLock responds to suspected malware is the Response Type. As shown below, there are four (4) possible Response Types.
- Do Nothing – ZeroLock will take no action other than generating an alert that possible malware was detected.
- Suspend – ZeroLock suspends the processes generated by the malware.
- Kill – ZeroLock will terminate the process and any child processes associated with the malware.
- Remediate –ZeroLock removes any files created by the malware, removes the malware file(s), restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes.
Note: In the following section, depending on your screen resolution, you may only see a Kill and Remediate button and a single ACTIONS button. The ACTIONS button is a drop-down menu with the options Kill (without remediating) or Release.
DO NOTHING
The status is DETECTED and only the ACTIONS button is visible.
Selecting the ACTIONS button presents the options Kill or Release. Kill will stop the processes associated with the malware. Release is selected if the alert is determined not malicious or is a false positive so allows the associated processes to continue executing. No further alerts will be generated for this process.
In this example, Kill is selected. On selection of ‘Kill’, the processes associated with the malware are terminated and the REMEDIATE button appears.
Clicking the REMEDIATE button results in the remediation of all impacted files and changes the alert status to REMEDIATED.
SUSPEND
The status is SUSPENDED, and two (2) buttons appear Kill & Remediate and ACTIONS (Kill or Release). Clicking Kill & Remediate will perform the functions described above.
On selecting ACTIONS and then ‘Kill’, the processes associated with the malware are stopped and the REMEDIATE button appears.
Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.
KILL
On detection, the malware processes are automatically terminated, the status will be KILLED, and the REMEDIATE button will be visible.
Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.
REMEDIATE
With this setting, as soon as the malware is detected it is terminated and remediated, requiring no user intervention.