Find the desired product help

View Contained Threats


Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • The container is a secure environment in which files with an 'unknown' trust rating are run. 'Unknown' files have not yet been classified as either 'safe' or 'malware'.

  • Contained applications are not permitted to modify files, user data or other processes on the host machine.

  • You can also submit unknown applications to Valkyrie, Xcitium's file analysis system. Valkyrie will test the file and attempt to classify it as 'safe' or 'malware'.

An application could be run inside the container because:

  • It was auto-contained by local Xcitium Client Security rules on the endpoint.

  • The endpoint user ran the program inside the container on a 'one-off' basis. This can be helpful to test the behavior of new executables that have they downloaded.

You can view all programs that ran inside the container from the 'Containment' interface. Admins can also view the activity of processes started by contained applications. Admins have the option to rate a contained file as trusted or malicious.


Open the containment list interface:

  • Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • Select group to view contained programs on devices in that group 

Or

  • Select 'Show all' to view all contained programs 



Column Heading

Description

File Name

The executable that was run in the container.

  • Click the name of the file to view its details.

File Path

The location of the contained file on the local endpoint.

  • Click the icon to copy the path to the clipboard.

File Hash

SHA1 hash value of the file.

  • Click the icon to copy the hash value to the clipboard.

  • You can investigate the events generated by the file using this hash value.

     
  • Click 'Security' > 'Endpoint Security' > 'Investigate' > 'Hash Search'

Number of Devices

The count of endpoints on which the item was identified.

  • Click the number to view a list of endpoints on which the item was found.

  • This also allows you to view the activities of processes started by the item. For more details, see Device List Screen below.

Contained By

The reason the file was contained.

Parent Process Name

The program or service that launched the contained application.

Action

The permission level at which the file was executed in the container, or the action that was taken upon it. The possible values are:

  • Restricted - The file was run inside the container but had limited access to the operating system resources.

  • Virtually - The file was completely isolated from the operating system and files on the computer.

  • Blocked - The file was not allowed to run at all.

  • Ignored - The file was allowed to run outside the container without any restrictions.

  • Unknown - The containment status was not determined.

Status

The execution state of the file inside the container. The possible values are:

  • Running
  • Complete

  • Failed

Xcitium Rating

The present trust rating of the file as per the Xcitium File Look-up Service (FLS).

Admin Rating

The trust rating of the file as set by the administrator. Files can be rated as trusted, malicious or unrecognized.

Date and Time

Date and time the file ran in the contained environment.

Controls

File Details

View full information of the contained file including the devices on which it was contained and its activity.

Change Rating

You can change the rating of the contained file as trusted, malicious or unrecognized.

Hide file(s)

Conceal contained file record(s) from the list.

Unhide file(s)

Reveal concealed file record(s).

Export

Export the list of contained files to a .csv file.

The exported file can be viewed in 'Dashboard' > 'Reports'.

Download Valkyrie report

Valkyrie is Xcitium's advanced file analysis and verdicting system. Each report contains an in-depth breakdown on the activity an unknown file, along with an overall verdict on its trustworthiness.

Check Valkyrie details

View Valkyrie file analysis of the contained file at https://valkyrie.Xcitium.com .

  • Click any column header to sort items in ascending/descending order of entries in that column.

  • Click the funnel icon on the right to search for contained applications by name, file path, SHA1 file hash, admin rating, action, status and/or execution date.

  • To display all the items again, remove / deselect the search key from filter and click 'Apply'.

Manage Contained Items


The 'Containment' interface allows you to:

View details of a contained application

  • Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • Select a group to view contained programs on devices in that group 

Or

  • Select 'Show all' to view all contained programs 

  • Click on a specific file-name in the list OR select a file and click file details

  • This will open the file details interface which shows: 

  • File Info - General information such as file-name, path, age, hash and file-size.

  • Device List - Shows endpoints upon which the file was found. This tab also tells you the device owner and lists any activities by the file.

Device List Screen

  • Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • Click on a specific file name in the list OR select a file and click file details

  • Click the 'Device List' tab

The 'Device List' shows endpoints on which the file was discovered and its activities. Admins can view processes executed by the file with details on data handled by each process.





Rate files as trusted / malicious


If required, admins can rate contained files as unrecognized, trusted or malicious. Please make sure before marking a file as trusted. Any new file ratings will be sent to endpoints during the next sync.

  • Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs' 

  • Select a group to view contained programs on devices in that group 

Or

  • Select 'Show all' to view all contained files 

  • Select the file(s) whose rating you wish to change

  • Click the 'Change Rating' button

  • Set your preferred rating from the options:


The new rating will be propagated to all endpoints during the next synchronization.


Export file records as a CSV file

  • Click ''Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • Select a group to view contained programs on devices in that group 

Or

  • Select 'Show all' to view all contained files 

  • Click the funnel icon to filter which records are included in the report.

  • Click the 'Export' button and choose 'Export to CSV':


The report is generated in .csv file format.



You can access the report in the 'Dashboards' > 'Reports' interface. See Reports if you need more help with this interface.


Hide File(s)

  • You can hide records of contained apps from the list. For example, you can hide unimportant hash records.

Hide contained file record(s)

  • Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • Select a group to view contained programs on devices in that group 

Or

  • Select 'Show all' to view all contained files 

  • Select the files that you want to hide and click 'Hide file(s)'


To view the hidden files again, you have to unhide them.


Restore Hidden File(s)

  • Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • Select a group to view contained programs on devices in that group 

Or

  • Select 'Show all' to view all contained files 

  • Click the funnel icon on the right, select 'Show hidden files' and click 'Apply'

  • The hidden files are shown with dark gray background stripe.

  • Select the hidden files from the list and click 'Unhide file(s)'


A confirmation message is displayed. The files are re-added to the list.


Valkyrie Reports


Files running in the container are analyzed and rated by Xcitium's behavior analysis system, Valkyrie. Valkyrie tests unknown files with a range of static and dynamic behavioral checks to identify whether they are malicious or safe.


You can view the file rating in the 'Application Control' interface also. You can download a Valkyrie report or view it online at https://valkyrie.Xcitium.com/


Download Valkyrie report

  • Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'

  • Select a group to view contained programs on devices in that group 

Or

  • Select 'Show all' to view all contained files 

  • Select any file

  • Click 'Download Valkyrie report':


This will open the Valkyrie report on the contained file in PDF format:


You can also download and view the report at https://valkyrie.Xcitium.com/ after signing into your Valkyrie account.


View Valkyrie fie analysis report online

  • Select the file from the list and click 'Check Valkyrie Details' at the top.



You will be taken to the report summary page of the selected file at https://valkyrie.Xcitium.com/.




  • View a more detailed version of the Valkyrie analysis by logging in at https://valkyrie.Xcitium.com/. You can use your Xcitium One username and password to login.