Remediate MalOps

Users with the L3 analyst or L2 Local analyst roles can perform remediation actions. Cybereason provides a number of response options, including the ability to perform selected remediation actions for items associated with a MalOp, exclude the MalOp behavior from triggering MalOps in the future, isolate the machine, and prevent file execution with Application Control.

The MalOp Status column in the Malops management screen updates according to your response.

Malop remediation video

Remediation options

The Cybereason platform includes a number of built-in remediation options that enable you to take actions that limit threats from malicious activities and require no additional intervention by you or your security and IT teams. You select remediation options from the Malops management screen (for one or more MalOps), or from the Malop details screen (for an individual MalOp).

Once you select a remediation option, the Cybereason platform does one of the following:

  • Performs the action on the selected machine(s).

  • Queues the action for machines that are offline (with the exception of the kill process and Remote Shell utility remediation options). When the machine is back online, Cybereason automatically performs the remediation action.

  • Sends alerts based to the selected machines depending on the end user desktop setting. See Configure end user desktop settings for more information.

In addition, you can use the Remote Shell utility to perform remediation actions directly on a selected machine. For more information, see Respond to Threats on a Machine with Remote Shell.

Depending on your operating system and the MalOp you want to remediate, you have different remediation options. Remediation options include:

Remediation Option

Description

Kill a process

Use the kill process remediation option to stop a malicious process from running on a machine or a set of machines. When you select this option, the Cybereason platform finds the necessary process and stops it on the selected machine.

Quarantine a file

Use the quarantine remediation option to move a malicious file to a different location to prevent it from executing. See Quarantine Files. Cybereason deletes quarantined files after 30 days. The cleanup is scheduled to run daily (every 24 hours) and on sensor startup.

Remove a registry entry

Use the remove registry entry remediation option if you want Cybereason to delete a registry entry associated with a malicious process.

Note: If detected ransomware has been injected into a legitimate process, Cybereason recommends you DO NOT choose to remove the process from the registry. Doing so may affect the integrity of your system.

Remediate directly on a machine

If the remediation options presented in the Malops management or MAlop details screens are not sufficient for your needs, you can perform remediation tasks directly on a machine from the Cybereason UI. Run the Remote Shell utility to remediate and investigate on a specific machine (this feature must be enabled). For details, see Respond to Threats on a Machine with Remote Shell.

Prevent file execution

Use this option to add a file to the blocklist and prevent it from running on other machines in your environments. This setting applies to all machines with Application Control enabled.

After enabling this setting, if the file hash is detected again, the Cybereason platform will stop it from running on any machine.

Isolate a machine

Isolating a machine enables you to stop all communication from a machine or machines. This enables you to later go to the machine and investigate or remediate as needed.

Note

For a list of supported systems for each option, see the Response features table in Supported Features by Operating System.

For examples of these remediation options, see MalOp Remediation Examples.

Watch this video to learn about remediation options.

 

Remediate using the Malops management screen

After you determine the best response option for one or more MalOps, you perform remediation actions from the Malops management screen.

To remediate one or more MalOps from the Malops management screen, follow these steps:

  1. Select the checkbox to the left of the MalOps to which you want to respond. The response option you choose applies to all the selected MalOps.

  2. Click Respond above the MalOps list. Available responses for the MalOp depend on the processes, machines, files, and users that the MalOp involves.

  3. If the MalOp represents a threat to your environment, do the following:

    Environment Type

    Steps

    Environments not using the Data Platform infrastructure

    1. Above the MalOps grid, click Respond.

    2. In the dialog box, select Malop is malicious - Remediate.

    3. Select your remediation options and click Respond.

    Environments using the Data Platform infrastructure

    1. Above the MalOps grid, click Respond.

    2. Select the necessary response actions and targets.

      Malop remediation dialog in the Data Platform Malops management screen

    3. Click Apply response.

  4. Back on the Malops management screen, select the MalOps you just remediated, and do one of the following

    • If your environment does not use the Data Platform infrastructure: Click Mark as resolved to indicate the MalOp or MalOps have been addressed.

      Mark as resolved button

    • If your environment does use the Data Platform infrastructure Click Set status as and select Closed.

      Set Malop status in the Data Platform Malops management screen

  5. If the MalOp is not a threat to your environment and you want to prevent the specific behaviors from triggering a MalOp in the future, select Malop is benign - Exclude. See Manage False Positives for more information.

Remediate using the Malop details screen

After you determine the best response option for a MalOp, you can respond to the MalOp from the MalOp’s Malop details screen.

To remediate a MalOp from the Malop details screen, follow these steps:

  1. Click Respond in the upper right-hand corner.

  2. Under Remediate or Prevention, select the checkboxes that you want. Available responses for the MalOp depend on the processes, machines, files, and users that the MalOp involves.

  3. From the list of options, select the machines, files, and actions to apply:

    Select the remediation actions

  4. Click Apply.

  5. When you have remediated the MalOp, indicate that you have addressed the MalOp:

    • For AI Hunting MalOps, select Remediated from Mark as dropdown menu.

    • For Endpoint Protection MalOps, select the Mark as resolved button.

      EP Remediation Buttons

Send actions to offline sensors

When performing remediation tasks, If a selected sensor is offline when the Cybereason platform sends a remediation action, the action will be queued and applied when the sensor comes online. Queued actions can wait for up to 72 hours for the sensor to come online.

Note

If you send the same action multiple times, the Cybereason platform ignores the new action to avoid duplicates.

Watch a short demo on remediation for offline sensors:

View MalOp remediation history

You can view MalOp remediation history by MalOp or by machine.

Remediation view

Details

View response history by Malop

From the Malop details screen, use the Respond options, and then click Show response history, as shown below. The response history shows all the response actions performed on the MalOp.

Remediation History

Remediation Log

View response history by machine

From the Investigation screen, click the Response history button in the Machine details dialog box. The response history shows all the response actions performed on the machine.

Note

The Response history button only appears for machines with associated remediation actions.

The response history includes the following columns:

Column

Description

Machine name

Machine from which the action was sent

Action

Action sent to the target(s)

Target

Element on which the action will execute. For example, the process name associated with a ‘kill process’ action.

User

User that sent the action

Send time

Time the user sent the action

Execution time

Time the action was applied. Note: this may be significantly later than the Send time if the target machine was offline when the user sent the action.

Action status

Status of the action’s execution. Hover over a Failed value to learn more about why the action failed to execute.