Response Type Settings and Alert Generation

How Response Type Settings Effect Alert Generation

A key feature in ZeroLock's Alert functionality is Configuration Profiles which allows the ZeroLock® Management Console (ZMC) administrators to control ZeroLock Agent behavior on protected Endpoints.  Using Configuration Profiles, administrators can fine-tune settings for Ransomware, Cryptojacking, Tampering, and HASH protection.

A key setting in determining how ZeroLock responds to suspected malware is the Response Type. As shown below, there are four (4) possible Response Types.

Image_1_Edit Config Profile_v4.1.10

  • Do Nothing – ZeroLock will take no action other than generating an alert that possible malware was detected.
  • Suspend – ZeroLock suspends the processes generated by the malware.
  • Kill – ZeroLock will terminate the process and any child processes associated with the malware.
  • Remediate – ZeroLock removes any files created by the malware, removes the malware file(s), restores any modified or deleted files, removes attempts at persistence (undoing changes to crontabs, removing dropped malware, etc.), and closes all network connections associated with the malicious processes.

 

Note: In the following section, depending on your screen resolution, you may only see a single ACTIONS button. The ACTIONS button is a drop-down menu with two options: Kill (without remediating) or Release.

 


DO NOTHING

The status is DETECTED with only the KILL and RELEASE buttons visible.    

Image_2_Do Nothing_v4.1.10

Kill will stop the processes associated with the malware. Release allows associated processes to continue executing if the alert is deemed not malicious or a false positive. Additional alerts will not be generated for this process.

In this example, Kill is selected.  On selection of ‘Kill’, the processes associated with the malware are terminated, and the REMEDIATE button appears.

Image_2_Killed_Remediate_v4.1.10

Clicking the REMEDIATE button results in the remediation of all impacted files and changes the alert status to REMEDIATED.

Image_3_Remediated_v4.1.10


SUSPEND

The status is SUSPENDED, and two (3) buttons appear: KillKill & Remediate, and Release.  Clicking Kill & Remediate will perform the functions described above.

Image_1_Suspend_Alerts_Kill_Remediate_Release_v4.1.10

On selecting Kill, the processes associated with the malware are stopped, and the REMEDIATE button appears.   

Image_2_Remediate_v4.1.10

Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.

Image_3_Remediated_v4.1.10-1


KILL

On detection, the malware processes are automatically terminated, the status will be KILLED, and the REMEDIATE button will be visible.  

Image_1_Killed Immediately_v4.1.10

Clicking the REMEDIATE button remediates all impacted files and changes the alert status to REMEDIATED.

Image_2_Remediated_v4.1.10


REMEDIATE

With this setting, as soon as the malware is detected, it is terminated and remediated, requiring no user intervention. However, the Kill, Kill & Remediate, and Release buttons may appear briefly. 

Image_1_Remediate Setting Result_v4.1.10