How do I know if a file is dropped? 'Threat Emulat...

bund · ‎2023-05-15

Hi

How do I know if a file is dropped in Threat Emulation?

Only Log? and ted.log*?

Aren't there any way?

G_W_Albrecht · ‎2023-05-15

There is a report in Logs & Monitor, see sk120357: New Threat Emulation reports:

The report now contains also information for archive files descendants, as well as embedded files and dropped files.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2023-05-16

If anything was dropped, the log card would have said Prevent instead of Detect (upper left corner).

bund · ‎2023-05-18

Thank you.
Does this work the same way when in 'Hold mode'?
Is it just detected?
Why is it confirmed as a 'dropped file'?

Chris_Atkinson · ‎2023-05-18

To be clear Malware dropping files on an endpoint is a very different context to a log indicating that it is dropping or blocking traffic.

Hold mode is more secure.

Detect here could also be due to the 'low' confidence rating again depending on your TP profile settings.

CCSM R77/R80/ELITE

PhoneBoy · ‎2023-05-18

By default, none of our default profiles will Prevent for protections with a Confidence Level of Low.

The "dropped file" refers to what happened when the file in question was emulated.
Specifically, an EXE was created and there was an attempt made to execute it.

Are you a member of CheckMates?

How do I know if a file is dropped? 'Threat Emulation'