- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- How do I know if a file is dropped? 'Threat Emulat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I know if a file is dropped? 'Threat Emulation'
Hi
How do I know if a file is dropped in Threat Emulation?
Only Log? and ted.log*?
Aren't there any way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a report in Logs & Monitor, see sk120357: New Threat Emulation reports:
The report now contains also information for archive files descendants, as well as embedded files and dropped files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If anything was dropped, the log card would have said Prevent instead of Detect (upper left corner).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
Does this work the same way when in 'Hold mode'?
Is it just detected?
Why is it confirmed as a 'dropped file'?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be clear Malware dropping files on an endpoint is a very different context to a log indicating that it is dropping or blocking traffic.
Hold mode is more secure.
Detect here could also be due to the 'low' confidence rating again depending on your TP profile settings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, none of our default profiles will Prevent for protections with a Confidence Level of Low.
The "dropped file" refers to what happened when the file in question was emulated.
Specifically, an EXE was created and there was an attempt made to execute it.
