Views:

A recurring detection is something that happens in a repeating or continuous manner.

Apex One contains 6 main types of detection:

  • Virus/Malware
  • Behavior Monitoring
  • Network Content Inspection
  • Predictive Machine Learning
  • Web Security
  • Spyware/Grayware

First thing to do is to check which of these detection types have the most count of detections. Refer to the following instructions:

  1. Log on to the Apex One console.
  2. Go to Dashboard and click Threat Statistics.

    Threat Statistics

  3. Look for the Apex Central Threat Statistics widget. Refer on this article to know more about Apex One Widgets.
  4. The following screenshot shows a possible recurring detection for Network Content Inspection, Virus and Behavior Monitoring.

    Apex Central Threat Statistics

  5. Another widget you can use is located in Threat Statistics tab under Dashboard.
  6. Look for Apex Central Top Threats to see which threat has the most count which could possibly indicate a recurring detection.

    Malicious Files

  7. For Virus detection, select Malicious Files and click the threat name. In the example above, the threat with the most count is "Ransom.Win32.RAGNAR.FAIL".
  8. Upon clicking on threat name, you should be redirected to the Log Query page.

    Detected Threats

  9. It should show the hostname involved under "Endpoint" column and the virus detection under "Virus" column.
  10. Now that it is determined which detection type is recurring, proceed to identify which endpoint needs manual intervention.
  11. To investigate further, refer to the next section.

This process will help pinpoint the endpoint that requires manual intervention and additional investigation, and ignore other threats on endpoints which are already mitigated by the product.

The two sections below will provide an idea which indicators to check for recurring detections and finally decide which endpoint needs manual intervention.

The following are the indicators for recurring detection:

  • Time interval indicators

    It is best to utilize the Security Threats on Endpoints page for identifying recurring detections using time interval indicator. These are the indicators you can check to help in verifying recurring detection.

    • The detection is not just a burst detection for a certain time but is continuous throughout the day, week or more. Below is a sample screenshot for everyday recurring detection.

      Threats

    • Detections can occur in an equal time interval (i.e. every 1 hour) during the day.
    • Other cases show detections which occur on a specific time every day during the week or month.
    • Certain cases also show recurring detection which happen at random time every day for at least 3 days or more.
  • Scan action indicators

    Refer to the following links on what to do with these detections.

    Quarantine failed and Clean failed action

    Quarantined

    Further action required

    Further action required

    Logged only action

    Logged

Since we already know which detection type is recurring (from the second section), and we already have an idea which indicators to check for recurring detection, the next step is to verify the endpoint/s affected that requires manual intervention:

 
It is important to determine if it is only happening on single endpoint or multiple endpoints.
 
  1. Log on to Apex Central and go to Directories tab.
  2. Click Users/Endpoints.
  3. Expand Endpoints on the left hand side, and select All or the Domain where the endpoint belongs to.

    Endpoint List

  4. From here you can look for the Endpoint identified from previous section, "How do I identify which type of detection is recurring?".
  5. Click Threat column to sort the table by threat count.

    Threats

  6. From here it can easily be isolated which endpoints are showing high threat count. These are all possible subjects for investigation, which will then be used on the next section.
  7. Another option is to click Endpoints dropdown then type the endpoint hostname.

    Endpoints

  8. Click on the Endpoint hostname to go to the endpoint details page.

    Endpoint List

  9. Click Threats tab.

    Threats

  10. This page will show all Security Threats found on this endpoint and identify if there are recurring threats. Particularly, it will show the indicators mentioned from the sections Time interval indicators and Scan action indicators that were discussed previously.
     
    • For recurring detection, refer to section “What should I do when the detection is recurring on endpoint/s?”
    • For non-recurring detection, refer to section “What should I do when the detection is not recurring on endpoint/s?”.
     

Before proceeding, make sure you have read the first three sections above and have isolated the endpoint/s with recurring detection. There are three action items which need to be done:

  1. Run ATTK scan on the affected endpoint

    ATTK tool contains rules that are updated regularly to maximize collection of suspicious files. Trend Micro encourages you to download and use ATTK Tool at https://spnsupport.trendmicro.com/ to ensure you have the latest copy.

    Here are the instructions on how to use the tool:

    1. Boot in Normal mode. Otherwise, use Safe-mode.
    2. Log on to the suspected machine as a local admin user or equivalent.
    3. Close all other open applications.
    4. Execute the downloaded tool by double-clicking the supportcustomizedpackage.exe file.
    5. When the Command window appears, it will start collecting system information.
    6. Go to the location where you execute the supportcustomizedpackage.exe and locate the archive file from \TrendMicro AntiThreat Toolkit\Output folder.
    7. Submit the archived files for analysis. You may refer to "Clean infected computers" section on this article for instructions as well.

    Please upload the archived file using Log File Upload on the same request or Log Analysis in the support portal. You can do this by following this guide.

  2. Collect all Apex Central logs and submit to Trend Micro for counter checking and analysis.
    • Collect Agent listing log.
      1. Log on to the Apex One console.
      2. Go to Agents tab then click Agent Management.
      3. Select Apex One Server on the left hand side.
      4. Click Export to generate the Apex One Security Agent List.csv file.
      5. Upload this to Trend Micro.
    • Collect detection logs
      1. Refer on this article below on how to go to Log Query page and export the detection logs.
      2. Make sure to select the proper time range according to the time of reoccurrence.
  3. Submit a case to Trend Micro

    Refer to this link on how to submit a case. For future submissions with this same concern, use infection case type. It would help in the case investigation if there is a description of the manifestation of the infection (i.e. any visible changes/effects happening in the machine, etc.)

A non-recurring detection could indicate that the malware persistence has been addressed by the product, or there is no malware persistence at all. Either way, make sure to check the product settings, product status, and your environment for hosts without agent installed.

  • Use best practice settings.

    Refer to this link to check if your product is following the best practice guidelines.

  • Make sure that patterns are up to date.

    Refer to this link to know the latest pattern versions and manually download them if needed.

  • Check for unmanaged endpoints.

    This is an important step to eliminate potential infection sources and points of compromise on your environment. Refer to this link.

Keywords: recurring, repeatedly, continuous, recurring detections, repeating detections, detected repeatedly, keeps on repeating, continuous detections, recurring threat, recurring alert, continuous alert