Containment Logs
- Click 'Logs' in the CCS menu bar
- Select 'Containment Events' from the drop-down at upper-left
CCS records all actions taken by the containment module. Events that are recorded include:
- When you manually run an application in the container
- When an an auto-containment rule runs an application in the container
- Date & Time - When the event occurred.
- Application - The installation path of the application that was run in the container.
- Rating – The reputation of the contained application. The trust rating can be 'Trusted', 'Unrecognized' or 'Malicious'. Unrecognized files are run in the container until such time as they can be classified as 'Trusted' or 'Malicious'.
- Action - How the malware was handled by CCS. This is also the restriction level imposed on the application by the container.
- Contained by – The CCS service, policy or user that placed the application in the container.
- Alert - Click 'Related Alert' to view the notification generated by the event.
Note: Containment alerts are shown when an installer, or unknown application requires admin/elevated privileges to run. The alerts are only shown if 'Do not show privilege elevation alerts' is disabled in 'Settings' > 'Containment' > 'Containment Settings'. See Containment Settings for more details. |
- Parent Process - The program which spawned the contained process.
- Click the name of the parent process to view the hierarchical order of processes
- Parent Process ID - The unique identifier that points to the process.
- Parent process hash - The SHA1 hash value of the program which spawned the contained process.
- Export - Save the logs as a HTML file. You can also right-click inside the log viewer and choose 'Export'.
- Open log file - Browse to and view a saved log file.
- Cleanup log file - Delete the selected event log.
- Refresh - Reload the current list and show the latest logs
- Click any column header to sort the entries in ascending / descending order.