Capture Client Threat Protection Auto-mitigation Actions
09/10/2020 17 3386
This KB explains about Different types on Capture Client Threat Protection Auto-mitigation Actions available
The Agent mitigates threats automatically based on configured auto-mitigation action, if its policy is set to Protect. When you analyze Active threats, you see the mitigation actions that the Agent applied automatically.
Kill - Stops processes. Active content in documents, executables, and sub-processes are stopped. The Agent enables Kill for processes that act against normal endpoint behavior or do not fit the actions of the application the process is hiding in.
Quarantine - Stops processes, encrypts the executable, and moves it to a confined path. If a threat is known, the Agent automatically kills the threat before it can execute. The only mitigation action for you is Quarantine.
Remediate - Stops processes, quarantines binaries, removes linked libraries, deletes seed files, and restores configuration of the OS, application, and user settings to the state before the attack began.
Rollback - (Windows only) restores the endpoint to a saved point. This option is best for ransomware mitigation and disaster recovery. It can remove legitimate work done since the last VSS snapshot.
Disconnect from network - The Agent can communicate only with the Management Console. The endpoint cannot communicate with other components on the network.
Note: macOS versions - do not support Rollback