Running IoC scans on demand

Unscheduled IoC scans can be run whenever needed. To do so, you must create an IoC scan task.

  1. Select the Responses > Manual tasks menu and click on Create a task.

  2. Select IoC scan.
    You can also open the tasks panel through Agent logs by selecting a log and clicking on Tasks > Create an IoC scan task.

  3. Give your task a name.

  4. Click on Add analysis units and select the analysis units that you want to include in your IoC scan. Click on Next.

  5. Click on Log settings to determine the severity and destination of the SES Evolution logs generated during the IoC scan.

  6. For Text indicators, you can disable the IoC scan in files, processes or event logs by unselecting the Text search checkboxes.
  7. In File scan parameters, select Default scan to run a recursive scan on the folder\\.\EsaRoots\SystemDrive and exclude the folders \\.\EsaRoots\SystemRoot, \\.\EsaRoots\ProgramFiles and \\.\EsaRoots\ProgramFilesX86. Otherwise, select Custom scan:
    • Analyze the image file of running processes: checks whether the .exe file in the processes contains the indicators you are looking for. This option also allows you to shut down any malicious processes identified on agents during the IoC scan, and/or exclude from the scan any processes run by Windows administrator and/or system accounts.
    • File extensions: Restricts scans to the indicated extensions.
    • Included files and folders: runs the scan on indicated files and folders with or without recursion.
    • Excluded files and folders: excludes from the scan indicated files and folders with or without recursion. Click on the + icon to add another path.
  8. In the Process scan parameters, select Default scan to run a memory scan of all the processes being executed on the workstation, otherwise, select Custom scan:
    • Shut down the process detected: Stops dangerous processes identified during the IoC scan.
    • Exclude processes run by: Excludes from the analysis the processes that were run with the indicated integrity levels (administrator and/or system).
    • Directory of excluded processes: Excludes from the analysis the processes for which the executable files are located in the indicated folders. Click on the + icon to add another path.

  9. In the Event logs section, select the types of logs to scan and from which date.

  10. In the DNS request parameter section, indicate the date from which you want to analyze DNS requests.

  11. Click on Next and select all the agents on which you want to run the IoC scan. Use filters where necessary to display only agents that meet certain criteria.

  12. Click on Run task.

    The task will appear in the main task panel.
  13. For each task, click on the icons below to perform several operations:
    In the agent logs panel, displays logs corresponding to this task.
    Removes tasks from the list.
    Cancels the task currently being run on agents.
    Run the task again by changing some settings.

    You can also Delete completed tasks from the tasks panel.

  14. Click on the arrow to the left of the task to show details about the analysis units that the task contains.
    Click on Clear selection to cancel a running analysis unit.