Advanced Persistent Threats

With Advanced Persistent Threats (APT) monitoring, you can detect and respond to threats at an early stage. In contrast to conventional antivirus software (AV), which detects threats and prioritizes them so that the system is not overloaded, APT specifically searches all files for conspicuous patterns that appear questionable. In this way, APT also identifies potential threats that often remain undetected by classic AV solutions.

You receive a detailed analysis of current threats and can carry out regular scans to identify vulnerabilities. Security plans enable a structured response to attacks, while customization of rules ensures that your system remains continuously protected against new threats. By managing whitelists, you can distinguish trusted sources from potential risks, making your security measures more efficient and targeted.

The Advanced Persistent Threats component is currently based on around 7000 pre-filtered rules from leading vendors, which are updated and expanded live on a daily basis.

Please note that a host can only be scanned if you have previously activated this in the host settings. To do this, check the Advanced Persistent Threats box in the host settings under Core Features.

Dashboard

The dashboard provides you with an overview of the most important findings relating to your advanced persistent threats. Capture all information relating to threats, scans and detections at a glance and quickly identify the need for action.

Active threats

In this view, you will find the results of the malware detection. Based on the information provided on severity, affected paths and hosts, you can quickly prioritize and take targeted measures. Clicking on an entry takes you to the detection analysis. Here you will find all relevant data relating to the detection, see which rule has uncovered the threat and can check whether a threat is hidden behind conspicuous files.

You also have the option of creating whitelists directly from the overview. To do this, click on the corresponding button behind an entry and fill in the pop-up window with the relevant details.

Assign a name and a brief description.
Now select assigned hosts from the dropdown list.
Finally, you can add more file paths to the whitelist.
Save your configuration by clicking the Add to Whitelist button.

As soon as a threat is no longer found, it no longer appears in the view. This can be done by deleting or whitelisting a corresponding file and then scanning it again.

Clicking on an entry takes you to the threat view, where you will find all the details about the detection.

Scans

Under Scans you will find a list of all malware detection scans carried out to date, including findings. This serves as proof in compliance issues and provides you with a detailed overview of possible to-dos.

Use the free text search to search for specific scans from the list. By clicking on a scan, you receive precise insights into the scope of the detection, including severity levels, threats and rules.

When performing an Advanced Persistent Threat Scan on a host, the maximum number of detections is limited to 100. If this limit is reached, the scan is automatically aborted.

These measures ensure that only relevant and meaningful detections are included in the analysis. This limit serves to avoid overloading the database and to ensure the efficiency of the analysis.

Please note that it can take several hours to perform a scan.

Clicking on a specific scan takes you to the detailed view, where you will find all the findings in a structured format. Use the option to create whitelists directly from the view and filter your results according to the information relevant to you using the free text search or the filters.

Plans

Plans are used to define and control scans. They determine which hosts are scanned and when, which rules are used for the scan and - optionally - which paths on the hosts are included.

Here you will find an overview of all previously created plans. You can start scans, edit or delete plans directly from this view in order to flexibly adapt your scan strategy.

Due to the high system performance, we recommend running a weekly deep scan of all files on the hard disk.

Add plan

Click on the Add plan button to open the configuration view for creating a new plan.

Assign a Name and a brief Description.
Define Assigned Hosts. Select one or more hosts from the list or use the Tag system for your plan. You also have the option to define host exceptions for more granular control of your references.
Next, select an Assigned Rules from the list or use the tag system here as well. By default, the managed rules are always selected. You can also define exceptions here.
If necessary, define Filepaths to specify what and where will be scanned. If you skip this setting, the host's main directory will be scanned automatically.
You can also specify Filepath Exceptions that should not be included in the plan.
The Advanced Settings allow you to determine system load. Your options include:
1. Minimum (1 Thread, max. 1 CPU)
2. Balanced (25% load)
3. Moderate (50% load)
4. Maximum (all available CPUs, 100% load)
Here you also have the option to set a Scheduled Execution. Use a valid cron expression or set the execution rhythm using the respective fields.
Finally, add your plan to save your configuration.

Rules

You can use sets of rules to specifically define which patterns in files should be recognized as suspicious. You define specific character strings or word combinations that are considered suspicious in certain contexts. The sets of rules work in a similar way to regular expressions (regex) and allow you to precisely adapt the detection patterns to your security requirements.

Customizable rules give you detailed control over your security strategy while minimizing the risk of false positives.

Add rules

Click on the Add rule button to create a new set of rules.

Enter a name and a short description.
Select tags from the dropdown menu to simplify association with scans.
Set the severity level to indicate how critical it is if a host is affected.
Use the field input to define custom rules using Yara syntax.
Complete your configuration by clicking Add rule.

Whitelist

With whitelists, you can specifically define which paths or files are excluded from scans. This applies regardless of which plan was used to start the scan. This allows you to prevent a file that has already been scanned from being repeatedly recognized as a threat.

Effectively block unauthorized access, reduce false positives and increase the efficiency of your security measures. Here you will find all whitelists created for Advanced Persistent Threats in one place. Edit or delete whitelists directly from the view and use the free text search to find entries quickly.

The Pulsar's edr.cache is recognized as a threat in every scan. For this reason, we recommend that you whitelist it.

Add Whitelist

Use the corresponding button to add a new whitelist.

Assign a name and a short description.
Decide if the whitelist should be enabled upon completion of setup.
Select assigned hosts from the dropdown list or use the tag system. You can also define exceptions here.
Add additional Filepaths to the whitelist that should be excluded from scans.
Save your configuration with the Add Whitelist button.

PreviousFile Integrity Monitoring NextEndpoints (Observer)

Last updated 1 day ago

Was this helpful?