Responding to security events

When a malicious operation occurs on your pool or is suspected, SES Evolution makes it possible to detect and/or block it while generating a security event. It is also possible to respond to the event by performing a remediation on affected workstations. Remediation is a set of operations that make it possible to limit the impact of attacks and fix any damage caused.

EXAMPLES

An SES Evolution audit rule monitors certain trees in the registry base to detect the addition or modification of any keys or values. This is crucial as some malicious programs use this method to persist after the workstation is restarted. If such an action is detected, an audit log will be generated, and you can launch a remediation to automatically delete or modify suspicious registry keys on the affected workstations.
A ransomware program was able to encrypt several files before SES Evolution blocked it. Remediation makes it possible to automatically retrieve the unencrypted version of these files from a Windows shadow copy.
A user unintentionally launched a malicious program. SES Evolution blocked it and prevented it from being run, but it can also be quarantined in addition. It will be out of the user’s reach, while allowing the administrator to analyze it before deleting or restoring it.
Agent logs report suspicious events on a user's workstation. When you detect a danger, you can isolate the workstation in question from the network while you carry out your analysis, and prevent the spread of an attack to the entire network.
After a ransomware attack blocked by SES Evolution, some programs can continue to run on the workstation and facilitate new attacks, for example a remote access Trojan (RAT). You can detect such programs with an IoC scan, then delete them automatically with remediation.