View and Manage Autorun Items
-
Click 'Security' 'Endpoint Security' > 'Antivirus' > 'Autoruns Items'
-
This area lets you view and take action on items blocked by the boot protection feature of Xcitium Client Security (XCS).
-
This includes unrecognized Windows services, auto-start entries and scheduled tasks.
From this interface, you can:
-
Assign a rating to quarantined auto-run items (trusted, malicious or unrecognized)
-
Delete them permanently
-
Restore them to their original location
How do unrecognized autoruns items get terminated?
You can implement this setting in two places: 1) The 'miscellaneous' section of a profile. This applies the action to the real-time virus scanner. See Miscellaneous Settings 2) The 'Options' section when you create a custom virus scan. See custom scans in Antivirus Settings. |
Open the interface
-
Click 'Security' > 'Endpoint Security' > 'Antivirus'
-
Click the 'Autoruns Items' tab
Select a group to view auto-runs blocked on its devices
Or
Select 'Show All' to view all terminated auto-runs
Column Heading |
Description |
---|---|
Date |
The date and time the auto-run was terminated on the device |
Type |
The auto-run category:
|
Action |
How the unrecognized autorun was treated on the endpoints:
|
# of Devices |
The number of devices on which the item was terminated
|
File Name |
The file whose auto-run entry was terminated
|
File Hash |
The SHA1 hash value of the quarantined file. The hash value uniquely identifies the item even if its filename is changed.
|
File Path |
The location of the file on the endpoint |
Xcitium Rating |
The file's trust level as rated by XCS. |
Admin Rating |
The trust rating of the file as set by the administrator. Files can be rated as trusted, malicious or unrecognized. |
Last Action Group |
Indicates the latest action taken by the admin. |
Autorun Status |
Shows whether the auto-run is enabled or disabled on the endpoint |
-
Click a column header to sort items in ascending / descending / alphabetical order
-
Click the funnel icon at top-right and search by various parameters
You can perform the following tasks from the auto-runs page:
View Details of a Terminated Autorun Item
-
Click 'Security' > 'Endpoint Security' > 'Antivirus' > 'Autoruns Items'
-
Click the file name of an item in the list:
-
This will open the file details interface which shows:
File Info - General information such as file-name, hash, file rating, number of devices on which the file was terminated, and more.
Device List - Shows a list of the endpoints on which the file was found, along with details like file installation path.
The options on the top let you to:
Restore terminated autorun on a device
Remove the item from a device
Rate files as 'Unrecognized', 'Trusted' or 'Malicious'
See the following sections for more details
Manage Terminated Autorun Items
-
If your review confirms that an autorun item is a genuine threat then it can be deleted from endpoints.
-
Conversely, if an item is is found to be a false positive, you can restore it to its original location.
-
You can also rate a file as unrecognized, trusted or malicious based on your assessment. The new verdict will be sent to all endpoints and will be reflected in the 'Unrecognized' and 'Trusted' interfaces.
Restore
Autorun Items on Devices
-
If the identified item is a false positive, select the item from the list and click 'Restore Autorun on Devices' from the options at the top.
Delete Autorun Items from Devices
-
Select the item(s) from the list and click 'Delete Autorun from Device' from the options at the top.
-
Click 'Confirm' to remove the files
The file will be deleted from all devices on which it was terminated and removed from the list.
Rate Autorun Items as 'Unrecognized', 'Trusted' or 'Malicious'
-
To change the rating of a file, select it and click the appropriate button at the top:
A confirmation will be displayed and the information sent to the devices.
-
Files rated as 'Trusted' will be restored to their original locations in the device. These files will be white-listed and skipped by future antivirus scans.
-
Files rated as 'Unrecognized' or 'Malicious' will be quarantined or their processes will be terminated per the profile settings.
Export Terminated Autorun Items as a CSV File
-
Click 'Security' > 'Endpoint Security' > 'Antivirus' > 'Autoruns Items' tab
-
Click the funnel icon to filter which records are included in the report.
-
Click the 'Export' button and choose 'Export to CSV':
The report is generated in .csv format.
The file is available in 'Dashboard' > 'Reports'. See Reports if you need more help with this interface.