Managing remediation tasks

You can run remediation tasks on workstations from agent logs. Depending on the type of logs, SES Evolution offers various remediation actions, such as file quarantining, registry key deletion, process shutdown, etc., which make it possible to greatly limit the impact of attacks.

The remediation actions requested may override the security policy in force on the workstation concerned.

Two separate permissions make it possible to manage access to the remediation feature. The Remediation (advanced) - Modify permission makes it possible to perform all remediation operations, including the ability to run Powershell scripts.

Since the execution of Powershell scripts is a very sensitive operation, grant this permission only to a very small number of trusted users.

For others who may perform remediation operations without running scripts, grant them the Remediation - Modify permission.

See Managing users on the SES Evolution administration console.

  1. Select the Environment > Agent logs menu and identify the log corresponding to the malicious operation that you wish to remediate. For example, a ransomware attack generates the log "The process_name process attempted to run a ransomware attack." All agent logs can be used to create a remediation task, except those with the attributes Internal, Auto-protection, or Remediation. For further information, refer to the section Viewing and managing agent logs in the administration console.
  2. Select the log or log group in question and click on Tasks > Create a remediation task. The task window appears. It lists the possible remediation operations for the selected log type and the resource in question. Operations are grouped by agent.
  3. Enter a Name for your remediation task.
  4. Use filters to view only a certain Action type, or the actions concerning a certain Agent group.
  5. Select the actions that you wish to perform. Depending on the selected log type, the following actions are possible:

    • Shut down processes, by including or excluding child processes;

    • Remove files (quarantine or delete);

    • Delete registry keys;

    • Remove or modify registry values;

    • Retrieve files encrypted by ransomware, with a list of the first 10 files encrypted;

    • Run a PowerShell script.

    Some actions may contain an orange dot. This means that they affect one of the following critical system folders and may therefore have an impact on the workstation:

    • C:\Windows\System32

    • C:\Windows\SysWOW64

    • C:\Windows\Microsoft.NET

    • C:\Windows\WinSxS

    • C:\Program Files

    • C:\Program Files (x86)

    • C:\ProgramData\Stormshield

  6. If the suggested actions are insufficient, and you hold the Remediation (advanced) - Modify permission, you can run a custom PowerShell script during the remediation task.

    EXAMPLE
    If a malicious program has added registry keys to persist after the workstation has been restarted, you may want to delete them. However, it can be tedious to select all the keys to be deleted if there are many of them and they affect several agents. It is therefore worth creating a script that automatically deletes all keys without the need to select them individually.

    To add a Powershell script:

    1. Click on Powershell script actions > Add to all agents.
      The Add a Powershell script action window will appear.
    2. To the right of the Script field, click on + to add the script to run.
    3. In the Arguments field, specify if necessary the arguments to add when the script is run.
    4. If you want the script to be run on all affected agents during the remediation task, select the checkbox Select the action for all agents. Otherwise, the line will be added to the list of actions but will not be selected.
    5. Select an existing script and click on to view it or to import a new version of the script.
  7. Click on Start remediation.
    The panel for Tasks appears and you can track the progress of the remediation task.
  8. Click on the arrow to the left of the task to show its progress on each affected agent.

    The following are the various possible statuses of a remediation task:

    StatusType Description
    Not startedThe task was launched but has not yet started.
    RunningThe task is running.
    DoneThe remediation action was successful.
    ErrorAn error occurred during the remediation task. A separate message indicates the reason. For example, the resource is locked, the user did not have sufficient privileges to delete files, the agent was not connected, etc.
    Partial

    • In a remediation following a ransomware attack, not all the files could be recovered.

    • If processes were deleted, at least one process could not be deleted.

    CanceledThe task was canceled by the user while it was being run.
  9. If you have chosen to quarantine files, they will be displayed in the Responses > Quarantine panel. For more information, see the section Managing file quarantine.

Use the Status, Type, Created by, or Agent group filters to display only the tasks you want to see.

Click on Details for more information on the remediation actions performed and their results.

You can also perform the following actions on remediation tasks or sub-tasks:

  • Cancel tasks in progress,

  • Browse to the agent logs corresponding to this task,

  • Run a task again,

  • Remove a task from the task panel,

  • Export the result file in CSV format.