How Response Type Settings Effect Alert Generation
A key feature in ZeroLock's Alert functionality is Configuration Profiles which allows the ZeroLock® Management Console (ZMC) administrators to control ZeroLock Agent behavior on protected Endpoints. Using Configuration Profiles, administrators can fine-tune settings for Ransomware, Cryptojacking, Tampering, and HASH protection.
A key setting in determining how ZeroLock responds to suspected malware is the Response Type. As shown below, there are four (4) possible Response Types.
- Do Nothing – ZeroLock will take no action other than generating an alert that possible malware was detected.
- Suspend – ZeroLock suspends the processes generated by the malware.
- Kill – ZeroLock will terminate the process and any child processes associated with the malware.
- Remediate – ZeroLock removes any files created by the malware, removes the malware file(s), restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.), and closes all network connections associated with the malicious processes.
Note: In the following section, depending on your screen resolution, you may only see a single ACTIONS button. The ACTIONS button is a drop-down menu with two options: Kill (without remediating) or Release.
DO NOTHING
The status is DETECTED with only the KILL and RELEASE buttons visible.
Kill will stop the processes associated with the malware. Release allows associated processes to continue executing if the alert is deemed not malicious or a false positive. Additional alerts will not be generated for this process.
In this example, Kill is selected. On selection of ‘Kill’, the processes associated with the malware are terminated, and the REMEDIATE button appears.
Clicking the REMEDIATE button results in the remediation of all impacted files and changes the alert status to REMEDIATED.
SUSPEND
The status is SUSPENDED, and two (3) buttons appear: Kill, Kill & Remediate, and Release. Clicking Kill & Remediate will perform the functions described above.
On selecting Kill, the processes associated with the malware are stopped, and the REMEDIATE button appears.
Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.
KILL
On detection, the malware processes are automatically terminated, the status will be KILLED, and the REMEDIATE button will be visible.
Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.
REMEDIATE
With this setting, as soon as the malware is detected, it is terminated and remediated, requiring no user intervention. However, the Kill, Kill & Remediate, and Release buttons may appear briefly.