Score of 3 but still Remediated?
We added TDR host to our Backup server, and it blew up the backup jobs on a .tmp file that was created in \AppData\Local\Temp\ (which is a folder I really don't want to exclude). The threat score was 3 for the file, and I'm trying to understand why the file was remediated.
We're running at a Cybercon of 4 and none of our policies act on a threat score of 3. There is the APT Blocker Policy, which I suspect acted on the file.
Here are the Threat Details for that file -
Score: 3
Threat Feed: Not Matched
Malware Verification Service: Unseen
Heuristics: Suspicious (ML)
---Warped PE Structure
APT Blocker: Ineligible; File too large for APT Blocker Analysis
I'm seeing that the file was Successfully Externally Remediated and at the same time the backup software crashed grinding our jobs to a screeching halt. Can anyone explain why this file was remediated?
Best Answer
-
Ricardo_Arroyo
WatchGuard Representative
The Action "Externally Remediated" means the Indicator was remediated by Administrators outside of TDR. Since APT blocker is not allowed to submit it for Sandbox File action, we effectively remove the Indicator from the Dashboard by rescoring it to a 1 without actually performing and real remediation actions on the file. TDR did not act on this file therefore I believe your backup software's crash was purely coincidental. If you find this sequence of events occurs again please put in a support case as you might be dealing with a defect.
Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
WatchGuard Technologies, Inc.5
Answers
Thank you Ricardo. We had just come to understand what the Externally Remediated meant in the logs before you posted this. Perhaps the crash occurred, removing the .tmp file, and the TDR detected the file was gone and logged it as externally remediated. Being that we had just installed the TDR host that morning on this server and the logging of the Externally Remediated time stamp matched the crash, we had associated the two events and TDR as the cause.
If we have any more issues, I'll open a case.