Configuration Profiles
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Configuration Profiles

      Response Type Settings and Alert Generation

      How Response Type Settings Effect Alert Generation

      A key feature in ZeroLock's Alert functionality is Configuration Profiles which allows the ZeroLock® Management Console (ZMC) administrators to control ZeroLock Agent behavior on protected Endpoints.  Using Configuration Profiles, administrators can fine-tune settings for Ransomware, Cryptojacking, Tampering, and HASH protection.

      A key setting in determining how ZeroLock responds to suspected malware is the Response Type. As shown below, there are four (4) possible Response Types.

      Step_1_Response Types

      • Do Nothing – ZeroLock will take no action other than generating an alert that possible malware was detected.
      • Suspend – ZeroLock suspends the processes generated by the malware.
      • Kill – ZeroLock will terminate the process and any child processes associated with the malware.
      • Remediate –ZeroLock removes any files created by the malware, removes the malware file(s), restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.) and closes all network connections associated with the malicious processes.

       

      Note: In the following section, depending on your screen resolution, you may only see a Kill and Remediate button and a single ACTIONS button. The ACTIONS button is a drop-down menu with the options Kill (without remediating) or Release.

       

      DO NOTHING

      The status is DETECTED and only the ACTIONS button is visible.    

      Do Nothing

      Selecting the ACTIONS button presents the options Kill or Release.  Kill will stop the processes associated with the malware. Release is selected if the alert is deemed not malicious or is a false positive allowing the associated processes to continue executing.  No further alerts will be generated for this process.

      In this example, Kill is selected.  On selection of ‘Kill’, the processes associated with the malware are terminated and the REMEDIATE button appears.

      DoNothing Killed

      Clicking the REMEDIATE button results in the remediation of all impacted files and changes the alert status to REMEDIATED.

      DoNothing Remediated-1

      SUSPEND

      The status is SUSPENDED, and two (2) buttons appear Kill & Remediate and ACTIONS (Kill or Release).  Clicking Kill & Remediate will perform the functions described above.

      Suspend

      On selecting ACTIONS and then ‘Kill’, the processes associated with the malware are stopped and the REMEDIATE button appears.   

      Suspend Killed

      Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.

      Suspend Remediated

      KILL

      On detection, the malware processes are automatically terminated, the status will be KILLED, and the REMEDIATE button will be visible.  

      Kill

      Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.

      Kill Remediated

      REMEDIATE

      With this setting, as soon as the malware is detected it is terminated and remediated, requiring no user intervention.

      Remediate-2