Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Note: As of May 2022, Dell Endpoint Security Suite Enterprise has reached End of Maintenance. This product and its articles are no longer updated by Dell.As of May 2022, Dell Threat Defense has reached End of Maintenance. This product and its articles are no longer updated by Dell.For more information, reference Product Life Cycle (End of Support and End of Life) Policy for Dell Data Security. If you have any questions on alternative articles, either reach out to your sales team or contact endpointsecurity@dell.com.Reference Endpoint Security for additional information about current products. Dell Endpoint Security Suite Enterprise and Dell Threat Defense endpoint statuses can be pulled from a specific endpoint for in-depth review of threats, exploits, and scripts. Affected Products: Dell Endpoint Security Suite EnterpriseDell Threat Defense Affected Platforms: WindowsMacLinux
Not applicable
Dell Endpoint Security Suite Enterprise or Dell Threat Defense administrators may access an individual endpoint to review: Malware ContentsMalware StateMalware Type An administrator should only perform these steps when troubleshooting why the advanced threat prevention (ATP) engine misclassified a file. Click Access or Review for more information. Access Access to malware information varies between Windows, macOS, and Linux. For more information, click the appropriate operating system. Windows By default, Windows does not record in-depth malware information. Right-click the Windows start menu and then click Run. In the Run UI, type regedit and then press CTRL+SHIFT+ENTER. This runs the Registry Editor as admin. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Cylance\Desktop.In the left pane, right-click Desktop and then select Permissions. Click Advanced. Click Owner. Click Other users or groups. Search for your account in the group and then click OK. Click OK. Ensure that your group or username has Full Control checked and then click OK. Note: In the example, DDP_Admin (step 8) is a member of the Users group. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value. Name the DWORD StatusFileEnabled. Double-click StatusFileEnabled. Populate Value data with 1 and then press OK. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value. Name the DWORD StatusFileType. Double-click StatusFileType. Populate Value data with either 0 or 1. Once Value data has been populated, press OK. Note: Value data choices: 0 = JSON file format1 = XML format At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value. Name the DWORD StatusPeriod. Double-click StatusPeriod. Populate Value data with a number ranging from 15 to 60 and then click OK. Note: The StatusPeriod is how often the file is written.15 = 15 second interval60 = 60 second interval At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click String Value. Name the String StatusFilePath. Double-click StatusFilePath. Populate Value data with the location to write the status file to and then click OK. Note: Default path: \Cylance\Status\Status.jsonExample path: C:\ProgramData\CylanceA .json (JavaScript Object Notation) file can be opened in an ASCII text document editor. macOS In-depth malware information is in the Status.json file at: /Library/Application Support/Cylance/Desktop/Status.json Note: A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor. Linux In-depth malware information is in the Status.json file at: /opt/cylance/desktop/Status.json Note: A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor. Review The status file’s Contents include detailed information about multiple categories including Threats, Exploits, and Scripts. Click on the appropriate information to learn more about it. Contents Status file contents: snapshot_timeThe date and time the Status information was collected. The date and time are local to the device.ProductInfo version: Advanced Threat Prevention Agent version on the devicelast_communicated_timestamp: Date & time of the last check for an Agent Updateserial_number: Installation Token used to register the Agentdevice_name: Name of the device the Agent is installed on Policy type: Status of whether the Agent is Online or Offlineid: Unique identifier for the policyname: Policy Name ScanState last_background_scan_timestamp: Date & time of the last Background Threat Detection scandrives_scanned: List of drive letters scanned Threats count: The number of threats foundmax: The maximum number of threats in the Status fileThreat file_hash_id: Displays the SHA256 hash information for the threatfile_md5: The MD5 hashfile_path: The path where the threat was found. Includes the file nameis_running: Is the threat currently running on the device? True or falseauto_run: Is the threat file set to run automatically? True or falsefile_status: Displays the current state of the threat, like Allowed, Running, or Quarantined. See the Threats: FileState tablefile_type: Displays the type of file, like Portable Executable (PE), Archive, or PDF. See the Threats: FileType tablescore: Displays the Cylance Score. The score that is displayed in the Status file ranges from 1000 to -1000. In the Console, the range is 100 to -100file_size: Displays the file size, in bytes Exploits count: The number of exploits foundmax: The maximum number of exploits in the Status fileExploit ProcessId: Displays the process ID of the application that is identified by Memory ProtectionImagePath: The path where the exploit originates from. Includes the file nameImageHash: Displays the SHA256 hash information for the exploitFileVersion: Displays the version number of the exploit fileUsername: Displays the name of the user who was logged in to the device when the exploit occurredGroups: Displays the group the logged in user is associated withSid: The Security Identifier (SID) for the logged in userItemType: Displays the exploit type, which relates to the Violation Types Note: See the Exploits: ItemType tableThe list of Violation types can be seen from Dell Endpoint Security Suite Enterprise Memory Protection category definitions. State: Displays the current state of the exploit, like Allowed, Blocked, or Terminated Note: See the Exploits: State table MemDefVersion: The version of Memory Protection used to identify the exploit, typically the Agent version numberCount: The number of times the exploit attempted to run Scripts count: The number of scripts run on the devicemax: The maximum number of scripts in the Status fileScript script_path: The path where the script originates from. Includes the file namefile_hash_id: Displays the SHA256 hash information for the scriptfile_md5: Displays the MD5 hash information for the script, if availablefile_sha1: Displays the SHA1 hash information for the script, if availabledrive_type: Identifies the type of drive that the script originated from, like Fixedlast_modified: The date and time the script was last modifiedinterpreter: name: The name of the script control feature that identified the malicious scriptversion: The version number of the script control feature username: Displays the name of the user who was logged in to the device when the script was launchedgroups: Displays the group the logged in user is associated withsid: The Security Identifier (SID) for the logged in useraction: Displays the action that is taken on the script, like Allowed, Blocked, or Terminated. See the Scripts: Action table Threats Threats have multiple numerical-based categories to be deciphered in File_Status, FileState, and FileType. Reference the appropriate category for the values to be assigned. File_Status The File_Status field is a decimal value calculated based on the values that are enabled by FileState (see the table in the FileState section). For example, a decimal value of 9 for file_status is calculated from the file being identified as a threat (0x01) and the file has been quarantined (0x08). FileState Threats: FileState None0x00Threat0x01Suspicious0x02Allowed0x04Quarantined0x08Running0x10Corrupt0x20 FileType Threats: FileType Unsupported0PE1Archive2PDF3OLE4 Exploits Exploits have two numerical-based categories to be deciphered in both ItemType and State. Reference the appropriate category for the values to be assigned. ItemType Exploits: ItemType StackPivot1Stack PivotStackProtect2Stack ProtectOverwriteCode3Overwrite CodeOopAllocate4Remote Allocation of MemoryOopMap5Remote Mapping of MemoryOopWrite6Remote Write to MemoryOopWritePe7Remote Write PE to MemoryOopOverwriteCode8Remote Overwrite CodeOopUnmap9Remote Unmap of MemoryOopThreadCreate10Remote Thread CreationOopThreadApc11Remote APC ScheduledLsassRead12LSASS ReadTrackDataRead13RAM ScrapingCpAllocate14Remote Allocation of MemoryCpMap15Remote Mapping of MemoryCpWrite16Remote Write to MemoryCpWritePe17Remote Write PE to MemoryCpOverwriteCode18Remote Overwrite CodeCpUnmap19Remote Unmap of MemoryCpThreadCreate20Remote Thread CreationCpThreadApc21Remote APC ScheduledZeroAllocate22Zero AllocateDyldInjection23DYLD InjectionMaliciousPayload24Malicious Payload Note: Oop references Out of ProcessCp references Child ProcessFor more information about violation types, reference Dell Endpoint Security Suite Enterprise Memory Protection category definitions. State Exploits: State None0Allowed1Blocked2Terminated3 Scripts Exploits have a single numerical-based category to be deciphered in Action. Scripts: Action None0Allowed1Blocked2Terminated3 To contact support, reference Dell Data Security International Support Phone Numbers.Go to TechDirect to generate a technical support request online.For additional insights and resources, join the Dell Security Community Forum.