View Contained Threats
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
-
The container is a secure environment in which files with an 'unknown' trust rating are run. 'Unknown' files have not yet been classified as either 'safe' or 'malware'.
-
Contained applications are not permitted to modify files, user data or other processes on the host machine.
-
You can also submit unknown applications to Valkyrie, Xcitium's file analysis system. Valkyrie will test the file and attempt to classify it as 'safe' or 'malware'.
An application could be run inside the container because:
-
It was auto-contained by rules in the Xcitium configuration profile applied to the endpoint. See 'Containment Settings' in Create Windows Profiles for more details about containment rules in a profile.
-
It was auto-contained by local Xcitium Client Security rules on the endpoint.
-
The endpoint user ran the program inside the container on a 'one-off' basis. This can be helpful to test the behavior of new executables that have they downloaded.
You can view
all programs that ran inside the container from the 'Containment'
interface. Admins can also view the activity of processes
started by contained applications. Admins have the option to rate a
contained file as trusted or malicious.
Open the containment list interface:
-
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
Select group to view contained programs on devices in that group
Or
Select 'Show all' to view all contained programs
Column Heading |
Description |
---|---|
File Name |
The executable that was run in the container.
|
File Path |
The location of the contained file on the local endpoint.
|
File Hash |
SHA1 hash value of the file.
|
Number of Devices |
The count of endpoints on which the item was identified.
|
Contained By |
The reason the file was contained. |
Parent Process Name |
The program or service that launched the contained application. |
Action |
The permission level at which the file was executed in the container, or the action that was taken upon it. The possible values are:
|
Status |
The execution state of the file inside the container. The possible values are:
|
Xcitium Rating |
The present trust rating of the file as per the Xcitium File Look-up Service (FLS). |
Admin Rating |
The trust rating of the file as set by the administrator. Files can be rated as trusted, malicious or unrecognized. |
Date and Time |
Date and time the file ran in the contained environment. |
Controls |
|
File Details |
View full information of the contained file including the devices on which it was contained and its activity. |
Change Rating |
You can change the rating of the contained file as trusted, malicious or unrecognized. |
Hide file(s) |
Conceal contained file record(s) from the list. |
Unhide file(s) |
Reveal concealed file record(s). |
Export |
Export the list of contained files to a .csv file. The exported file can be viewed in 'Dashboard' > 'Reports'. |
Download Valkyrie report |
Valkyrie is Xcitium's advanced file analysis and verdicting system. Each report contains an in-depth breakdown on the activity an unknown file, along with an overall verdict on its trustworthiness. |
Check Valkyrie details |
View Valkyrie file analysis of the contained file at https://valkyrie.Xcitium.com . |
-
Click any column header to sort items in ascending/descending order of entries in that column.
-
Click the funnel icon on the right to search for contained applications by name, file path, SHA1 file hash, admin rating, action, status and/or execution date.
-
To display all the items again, remove / deselect the search key from filter and click 'Apply'.
Manage Contained Items
The 'Containment' interface allows you to:
View details of a contained application
-
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
Select a group to view contained programs on devices in that group
Or
Select 'Show all' to view all contained programs
-
Click on a specific file-name in the list OR select a file and click file details
-
This will open the file details interface which shows:
File Info - General information such as file-name, path, age, hash and file-size.
Device List - Shows endpoints upon which the file was found. This tab also tells you the device owner and lists any activities by the file.
-
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
-
Click on a specific file name in the list OR select a file and click file details
-
Click the 'Device List' tab
The 'Device List' shows endpoints on which the file was discovered and its activities. Admins can view processes executed by the file with details on data handled by each process.
Rate files as trusted / malicious
If required, admins can rate contained files as unrecognized, trusted or malicious. Please make sure before marking a file as trusted. Any new file ratings will be sent to endpoints during the next sync.
-
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
Select a group to view contained programs on devices in that group
Or
Select 'Show all' to view all contained files
-
Select the file(s) whose rating you wish to change
-
Click the 'Change Rating' button
-
Set your preferred rating from the options:
The new rating will be propagated to all endpoints during the next synchronization.
Export file records as a CSV file
-
Click ''Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
Select a group to view contained programs on devices in that group
Or
Select 'Show all' to view all contained files
-
Click the funnel icon to filter which records are included in the report.
-
Click the 'Export' button and choose 'Export to CSV':
The report is generated in .csv file format.
You can access the report in the 'Dashboards' > 'Reports' interface. See Reports if you need more help with this interface.
-
You can hide records of contained apps from the list. For example, you can hide unimportant hash records.
Hide contained file record(s)
-
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
Select a group to view contained programs on devices in that group
Or
Select 'Show all' to view all contained files
-
Select the files that you want to hide and click 'Hide file(s)'
To view the hidden files again, you have to unhide them.
-
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
Select a group to view contained programs on devices in that group
Or
Select 'Show all' to view all contained files
-
Click the funnel icon on the right, select 'Show hidden files' and click 'Apply'
-
The hidden files are shown with dark gray background stripe.
-
Select the hidden files from the list and click 'Unhide file(s)'
A confirmation message is displayed. The files are re-added to the list.
Valkyrie Reports
Files running
in the container are analyzed and rated by Xcitium's behavior analysis
system, Valkyrie. Valkyrie tests unknown files with a range of static
and dynamic behavioral checks to identify whether they are malicious
or safe.
You can view the file rating in the 'Application Control' interface also. You can download a Valkyrie report or view it online at https://valkyrie.Xcitium.com/
-
Click 'Security' > 'Endpoint Security' > 'Contained Threats' > 'Containment Logs'
Select a group to view contained programs on devices in that group
Or
Select 'Show all' to view all contained files
-
Select any file
-
Click 'Download Valkyrie report':
You can also download and view the
report at https://valkyrie.Xcitium.com/ after signing into your Valkyrie account.
View Valkyrie fie analysis report online
-
Select the file from the list and click 'Check Valkyrie Details' at the top.
You will be taken to the report summary page of the selected file at https://valkyrie.Xcitium.com/.
-
View a more detailed version of the Valkyrie analysis by logging in at https://valkyrie.Xcitium.com/. You can use your Xcitium One username and password to login.
-
See https://help.Xcitium.com/topic-397-1-773-9563-Introduction-to-Xcitium-Valkyrie.html for help to use the Valkyrie online portal.