Home

Remediation Action

You can remediate malicious events detected on the assets using the Quarantine File, Delete File, and Kill Process options. Remediation actions can be performed for File, Process, Network, and Mutex events from the Current View tab under Hunting and the Event Details page.

The remediation options are available under the Remediation Action column and Events Detail page only for:

- Events in Active View

- Events that score between 1 to 10

Remediation Action

Use the Filters option to view the malicious events from the list.

Filter Malicious Events

Remediation action for file events

You can remediate malicious file events, using the following options:

- Quarantine File: Using this option, the file is encrypted and then moved to the Quarantine folder (C:\ProgramData\Qualys\QualysAgent\Quarantine\) on your asset. The Quarantine folder is automatically created once you upgrade to agent 4.0 and above. You can undo this action and restore the file to its original position using the UnQuarantine option from the User Activity tab. For more information, see UnQuarantine File.

- Delete File: Using this option, the file is permanently deleted from your asset. You cannot undo this action.

To perform remediation action on file events:

1) Select the required file event and from the Remediation Action column,  click Quarantine File or Delete File from the drop-down list.

Note: You can also perform the remediation action from the Event Details page.

In Progress Remediation

2) Based on your selection (Quarantine File/Delete File), one of the following window is displayed. Enter the required comment and click Execute Action.

Delete or Qurantine File

3) A pop-up message indicating the status of submission request is displayed on the screen. You can click View Request Status from the pop-up message, to view the status (In Progress, Success, Failed) of the remediation request on the User Activity tab.

Alternatively, you can also view the status for the remediation request from the Remediation Action column on the Hunting tab.

 Toaster message

User Activity Tab

Remediation action for Process, Mutex, Network events

For process, mutex, and network events, we provide Kill Process remediation action. When you perform the Kill Process action for mutex or network events, it kills the corresponding parent process.

1) Select the required event from the Hunting tab and from the Remediation Action column, select Kill Process.

Note: You can also perform the remediation action from the Event Details page.

Kill Process

2) The Kill Process screen is displayed. Under Related Events column, you can see the related file, network, and mutex events. Use the arrow button next to the Score column to view the list of related events.

Note: We display up to 50 related events.

If the event has related files, you can choose to Quarantine file, Delete files or perform no action by selecting None.

3) Enter the comment and click Execute Action.

Execute Action

4) A pop-up message indicating the status of submission request is displayed on the screen. You can click View Request Status from the pop-up message, to view the status (In Progress, Success, Failed) of the remediation request on the User Activity tab.

Alternatively, you can also view the status for the remediation request from the Remediation Action column on the Hunting tab.

Request Submitted

Kill Process Complete