Capture Client Threat Protection Auto-mitigation Actions

Description

This KB explains about Different types on Capture Client Threat Protection Auto-mitigation Actions available

Resolution

The Agent mitigates threats automatically based on configured auto-mitigation action, if its policy is set to Protect. When you analyze Active threats, you see the mitigation actions that the Agent applied automatically.

 

The Available Policy mode Options for Threats are :

  • Detect (Alert Only): This feature only provides threat Alert only .

  • Protect (Kill and Quarantine)

Image


Following are the Protection and Containment options when the policy mode is set to Protect:

Kill - Stops processes. Active content in documents, executables, and sub-processes are stopped. The Agent enables Kill for processes that act against normal endpoint behavior or do not fit the actions of the application the process is hiding in.

 

 Quarantine - Stops processes, encrypts the executable, and moves it to a confined path. If a threat is known, the Agent automatically kills the threat before it can execute.  The only mitigation action for you is Quarantine.

 

 Remediate - Stops processes, quarantines binaries, removes linked libraries, deletes seed files, and restores configuration of the OS, application, and user settings to the state before the attack began.

 

 Rollback - (Windows only) restores the endpoint to a saved point. This option is best for ransomware mitigation and disaster recovery. It can remove legitimate work done since the last VSS snapshot.

 

 Disconnect from network - The Agent can communicate only with the Management Console. The endpoint cannot communicate with other components on the network.

The Following are the policy mode options for Suspicious which includes:

  • Detect (Alert Only)
  • Protect (Kill and Quarantine)
  • Capture ATP (Auto Mitigate)

    Capture ATP Mitigation mode detects a potential threat,reports it and sends it to Capture ATP for further analysis.Depending on the Capture ATP verdict , action can be be taken accordingly.

    Image

 

 

Note: macOS versions - do not support Rollback

Related Articles

  • Capture Client - System Requirements
    Read More
  • Capture Client – Migrate local CMC user login to MySonicWall account login
    Read More
  • Integration of CFS 5.0 Support in Capture Client
    Read More

Categories

Endpoint Security
Capture Client
Settings
not finding your answers?
Ask the Community