Home

Remediation Action

On the Hunting tab, you can view malicious, suspicious, non-malicious, non-suspicious events detected on your assets. You can remediate malicious and non-malicious events detected on the assets using the Quarantine File, Delete File, and Kill Process options. The event score is assigned based on the detection engine such as Malware Detection, Yara rules, Behavioral Analysis, Threat Intelligence, etc.

You can perform remediation action for a single event or for multiple events. Bulk remediation can happen only for similar type of events on the same page of the Current View tab. You cannot apply bulk remediation action if you select a file from page 1 and another from page 2 of the Current View tab. At a time you can apply bulk remediation for 200 events.

Remediation action is not available for Registry events.

Use the Filters option to view the events with specific severity.

Filter Malicious Events

Remediation action for File events

You can remediate malicious file events, using the following options:

- Quarantine File: Using this option, the file is encrypted and then moved to the Quarantine folder (C:\ProgramData\Qualys\QualysAgent\Quarantine\) on your asset. The Quarantine folder is automatically created once you upgrade to agent 4.0 and above. You can undo this action and restore the file to its original location using the UnQuarantine option from the User Activity tab. For more information, see UnQuarantine File.

- Delete File: Using this option, the file is permanently deleted from your asset. You cannot undo this action.

To perform remediation action on file events:

Perform the following steps to remediate a single file event:

1) Select the required file event and from the Remediation Action column, click Quarantine File or Delete File from the drop-down list.

Alternatively, to perform bulk remediation, select multiple file events, and click Actions. Select Quarantine Files or Delete Files from the drop-down list. Example of bulk remediation action for File eventsExample of bulk remediation action for File events.

File event to Quarantine

Remediation Action

Note: You can also perform the remediation action from the Event Details page.

2) Based on your selection (Quarantine File/Delete File), one of the following window is displayed. Enter the required comment and click Execute Action.

Deleting and Quarantine a File

3) A pop-up message indicating the status of submission request is displayed on the top-right corner of the screen. You can click View Request Status from the pop-up message, to view the status (In Progress, Success, Failed) of the remediation request. You will be redirected to Responses tab.

User Activity Tab

Alternatively, you can also view the status for the remediation request from the Remediation Action column on the Hunting tab.

Remediation Action

Remediation action for Process, Mutex, Network events

For Process, Mutex, and Network events, we provide Kill Process remediation action. When you perform the Kill Process action for Mutex or Network events, it kills the corresponding parent process.

1) Select the required event from the Hunting tab and from the Remediation Action column, select Kill Process.

Alternatively, to perform bulk remediation, select multiple Process, Mutex, or Network events,

click Actions. Select Kill Processes from the drop-down list. Example of bulk remediation action for Process, Mutex, or Network events.Example of bulk remediation action for Process, Mutex, or Network events.

You can perform bulk remediation action only for same type of events.

Kill Process in Hunting Tab

The following screenshot shows that when Network and Mutex events are selected, the bulk remediation option gets disabled:

Kill Process in Hunting Tab

Kill Process

Note: You can also perform the remediation action from the Event Details page.

2) The Kill Process screen is displayed. Under Related Events column, you can see the related file, network, and mutex events. Use the arrow button next to the Score column to view the list of related events.

If the event has related files, you can choose to Quarantine file, Delete file or perform no action by selecting None.

3) Enter the comment and click Execute Action.

Execute Action

4) A pop-up message indicating the status of submission request is displayed on the top-right corner of the screen. You can click View Request Status from the pop-up message, to view the status (In Progress, Success, Failed) of the remediation request. You will be redirected to Responses tab.

Kill Process Complete

Alternatively, you can also view the status for the remediation request from the Remediation Action column on the Hunting tab.

Request Submitted