Updates to Dell Endpoint Security Suite Enterprise Advanced Threat Protection detection method

Updates to Dell Endpoint Security Suite Enterprise Advanced Threat Protection detection method


Updates to Dell Endpoint Security Suite Enterprise or Dell Threat Defense may cause changes in how threats are evaluated


Affected Products:

Dell Endpoint Security Suite Enterprise
Dell Threat Defense

Affected Versions:

1371; 1391; 1.0.1; 1.2; 1.2.1392; 2.0.1451; 2.0.1452




Dell Data Protection's Advanced Threat Protection products; Dell Threat Defense, and Dell Endpoint Security Suite Enterprise may have occasional updates that change how threats are evaluated. These updates are commonly referred to as "model" updates, as they are updates to the threat model.

This model receives periodic updates to improve detection rates. To help users know how a new model might affect their organization, there are two columns on the Protection page in the Console. You can use the "Production Status" and "New Status" comparison to see which files on your devices might be impacted by the model change.

Users should test the new models before a full production roll-out. This should minimize any unintended outages cause by model changes.

Examples:

  • A file that was considered Safe in the Current Model might change to Unsafe in the New Model. If your organization needs that file, you can add it to the Safelist.
  • A file that has never been seen or score by the Current Model and the New Model considers it Unsafe. If your organization needs that file, you can add it to the Safelist.

New Protection Columns

The two columns are: "Production Status" and "New Status":

  • Production Status: Displays the current model status (Safe, Abnormal or Unsafe) for the file.
  • New Status: Displays the model status for the file in the new model.

Only files found on device in your organization and that have a change in its Threat Score are displayed. Some files might have a Score change but still remain within its current Status.

Example:

The Threat Score for a file goes from 10 to 20, the file status would remain Abnormal and the file will appear in the updated model list (if this file exists on devices in your organization).

Note: The information for the model comparison comes from the database, not your devices. So no re-analysis is done for the model comparison. However, when a new model is available and the proper Agent is installed, a re-analysis is done on your organization and any model changes are applied.

To view the Current Model and New Model columns:

  1. Log in to the Dell Data Protection Remote Management Console, select Populations -> Enterprise -> Advanced Threats, then select the Protection tab.
  2. Click the down-arrow on a column header.
  3. Select the "Production Status" and "New Status" columns.
  4. Click on the down-arrow or click anywhere on the page to close the column options menu.

You can now review differences between the two Threat Models.

The two scenarios you should be aware of are:

  • Current Model = Safe, New Model = Abnormal or Unsafe
  • Your Organization considers the file as Safe or the Classification is Trusted Local
  • Your Organization has Abnormal and/or Unsafe set to Auto Quarantine (AQT)
  • Current Model = Null (not seen or scored), New Model = Abnormal or Unsafe
  • Your Organization considers the file as Safe or the Classification is Trusted Local
  • Your Organization has Abnormal and/or Unsafe set to Auto Quarantine (AQT)

In the above scenarios, the recommendation is to Safelist the files you want to allow in your organization.

Identify Classifications

To identify classifications that could impact your organization, we recommend the following approach:

  • Apply a filter to the New Model column to display all Unsafe, Abnormal and Quarantined files. If your is set to Auto-Quarantine, you will not see any Unsafe or Abnormal files because these threats have been quarantined.
  • Apply a filter to the "Production Status" column to display all Safe files.
  • Apply a filter to the Classification column to only show Trusted - Local threats. Trusted - Local files have been analyzed by Dell's ATP and found to be safe. Safelist these items after review. If you have a lot of files in the filtered list, you may need to prioritize using more attributes. Example: Add a filter to the "Background Detection" column to review threats found by Execution Control. These were convicted when a user attempted to execute an application and need more urgent attention than dormant files convicted by Background Threat Detection or File Watcher.

Recommended Production Roll-out

This section outlines strategies to help users upgrade to a newer predictive model. It is highly recommended to assign Agents to a Policy with Auto-Quarantine enabled for Unsafe and Abnormal files.

Auto-Updates with Auto-Quarantine

If Agents are set to Auto-Update, you should disable auto-updates for agents when new predictive models are released. If it is not possible to disable Auto-Quarantine or test the new Agent, alert you're Dell Data Protection Administrators. They may Safelist items that are misclassified to unblock users.

Manual Updates with Auto-Quarantine

If you manually update Agents, then Auto-Update is not a concern. It is recommended that you use the following instructions before updating your Agents.

  1. Test the new Agent (with the new model) on a representative set of systems. Ideally, these test machines would be placed in an Auto-Quarantine policy. If a Safe application is getting blocked, add the file to your Safelist.
  2. Once testing is complete, roll-out the new Agent to all of your systems.

For support, US-based customers may contact Dell Data Security ProSupport at 877.459.7304, Option 1, Ext. 4310039, or via the Chat Portal. To contact support outside the US, reference ProSupport’s International Contact Numbers. For additional insights and resources, visit the Dell Security Community Forum.


Identificación del artículo: SLN303737

Última fecha de modificación: 06/27/2018 12:00 PM


Califique este artículo

Preciso
Útil
Fácil de comprender
¿Este artículo fue útil?
No
Envíenos sus comentarios
Los comentarios no pueden contener estos caracteres especiales: <>"(", ")", "\"
Disculpe, nuestro sistema de comentarios está actualmente inactivo. Vuelva a intentarlo más tarde.

Muchas gracias por sus comentarios.