Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What to do with recurring detections in Apex Central

    • Updated:
    • 6 Jan 2021
    • Product/Version:
    • Apex Central 2019
    • Apex One 2019
    • Platform:
Summary

This article provides a guide on what to do with recurring detection on your Apex Central console and how to properly isolate endpoints that may need manual intervention. This also helps administrators and the Trend Micro team to prioritize the endpoints which need further investigation.

Details
Public

Apex One contains 6 main types of detection listed below:

  • Virus/Malware
  • Behavior Monitoring
  • Network Content Inspection
  • Predictive Machine Learning
  • Web Security
  • Spyware/Grayware

First thing to do is to check which of these detection types have the most count of detections. Refer to the instructions below:

  1. Log on to the Apex One console.
  2. Go to Dashboard and click Threat Statistics.

  3. Look for Apex Central Threat Statistics widget. Refer on this article to know more about Apex One Widgets.

  4. The sample screenshot above shows a possible recurring detection for Network Content Inspection, Virus and Behavior Monitoring.
  5. Another widget you can use is located in Threat Statistics tab under Dashboard.
  6. Look for Apex Central Top Threats to see which threat has the most count which could possibly indicate a recurring detection.

  7. For Virus detection, select Malicious Files and click the Threat Name. In this case, the threat with the most count is Ransom.Win32.RAGNAR.FAIL.
  8. Upon clicking on threat name, you should be redirected to the Log Query page.

  9. It should show the hostname involved under Endpoint column and the virus detection under Virus column.
  10. Now that it is determined which detection type is recurring, proceed to identify which endpoint needs manual intervention.
  11. To investigate further, refer to the next section.

When it is known which detection type is recurring (from the first section), the next thing to do for recurring detection is to identify the endpoint affected. Note that it is important to determine if it is only happening on a single or multiple endpoints.

  1. Log on to Apex Central and go to Directories tab.
  2. Click Users/Endpoints.
  3. Expand Endpoints on the left hand side, and select All or the Domain where the endpoint belongs to.

  4. From here you can look for the Endpoint identified from first section "Identify which type of detection is recurring".
  5. Sort the table by Threat count. Click Threat column to sort it.

  6. From here it can easily be isolated which endpoints are showing high threat count. These are all possible subjects for investigation later on the next section.
  7. Another option is to click Endpoints dropdown then type the endpoint hostname.

  8. Click on the Endpoint hostname to go to the endpoint details page.

  9. Click Threats tab.

  10. This page will show all Security Threats found on this endpoint and identify if there are recurring threats.
  11. To identify how to know if there are recurring threats on an endpoint, refer to next section.

This step is important to help Trend Micro team isolate the issue and focus only on endpoints which require manual intervention and additional investigation, and ignore other threats on endpoints which are already mitigated by the product.

These are the indicators for recurring detection:

  • Time interval indicators

    It is best to utilize the Security Threats on Endpoints page for identifying recurring detections using time interval indicator. These are the indicators you can check to help in verifying recurring detection.

    • The detection is not just a burst detection for a certain time but is continuous throughout the day, week or more. Below is a sample screenshot for everyday recurring detection.

    • Detections can occur in an equal time interval (i.e. every 1 hour) during the day.
    • Other cases show detections which occur on a specific time every day during the week or month.
    • Certain cases also show recurring detection which happen at random time every day for at least 3 days or more.
  • Scan action indicators

    Refer to the following links on what to do with these detections.

    • Scan Actions https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/protecting-trend_cli/scanning-for-securit_001/settings-common-to-a/scan-actions.aspxfor failed actions by Apex One
    • Check for scan exclusions https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/protecting-trend_cli/scanning-for-securit_001/settings-common-to-a/scan-exclusions.aspx and make sure malicious files are not in your exclusions list.

    Quarantine failed and Clean failed action

    Further action required

    Logged only action

Before proceeding, make sure you have read the first three sections above and have isolated the endpoint/s with recurring detection. There are three action items which need to be done:

  • Run ATTK scan on the affected endpoint

    ATTK tool contains rules that are updated regularly to maximize collection of suspicious files. Trend Micro encourages you to download and use ATTK Tool at https://spnsupport.trendmicro.com/ to ensure you have the latest copy.

    Here are the instructions on how to use the tool:

    1. Boot in Normal mode. Otherwise, use Safe-mode.
    2. Log on to the suspected machine as a local admin user or equivalent.
    3. Close all other open applications.
    4. Execute the downloaded tool by double-clicking the supportcustomizedpackage.exe file.
    5. When the Command window appears, it will start collecting system information.
    6. Go to the location where you execute the supportcustomizedpackage.exe and locate the archive file from \TrendMicro AntiThreat Toolkit\Output folder.
    7. Submit the archived files for analysis. You may refer to "Clean infected computers" section on this article for instructions as well.

    Please upload the archived file using Log File Upload on the same request or Log Analysis in the support portal. You can do this by following this guide.

  • Collect all Apex Central logs and submit to Trend Micro for counter checking and analysis.
    • Collect Agent listing log.
      1. Log on to the Apex One console.
      2. Go to Agents tab then click Agent Management.
      3. Select Apex One Server on the left hand side.
      4. Click Export to generate the Apex One Security Agent List.csv file.
      5. Upload this to Trend Micro.
    • Collect detection logs
      1. Refer on this article below on how to go to Log Query page and export the detection logs.
      2. Make sure to select the proper time range according to the time of reoccurrence.
  • Submit a case to Trend Micro

    Refer to this link on how to submit a case. For future submissions with these same concern kindly use infection case type. It would help in the case investigation if there is a description of the manifestation of the infection (i.e. any visible changes/effects happening in the machine, etc.)

A non-recurring detection means that the product was able to handle and mitigate the threat. Make sure to check the product settings, product status and your environment for hosts without agent installed.

  • Best practice settings

    Refer to this link to check if your product is following the best practice guidelines.

  • Patterns are up to date

    Refer to this link to know the latest pattern versions and manually download them if needed.

  • Check for unmanaged endpoints

    This is an important step to eliminate potential infection sources and points of compromise on your environment. Refer to this link.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283856
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.