How To Manage Dell Threat Defense

The Dell Threat Defense console provides an in-depth evaluation on "unsafe" or "abnormal" files to help administrators properly mitigate threats in their environment.

To evaluate a file:

1. In the console, click the Protection tab.

2. Under Protection, click a threat to obtain more information.

Cylance Score: A score of 1 (limited) -100 (high) is assigned by Cylance based on threat attributes.

Quarantined by users in [Tenant]: What actions on file have been taken by users within the environment (Tenant).

Quarantined by all Cylance users: What actions on the file have been taken by users within all Cylance environments.

Classification: General identification of file/threat.

First Found: When the file was first found in the environment

Last Found: When the file was last found in the environment

Global Quarantine: Adds a file to the global quarantine list for the environment. Any time the file appears on a device it will automatically be quarantined in the \q folder.

Safe: Adds a file to the safe list for an environment. If a file is currently quarantined, it will automatically place it back in its original location.

SHA256: The 256 cryptographic hash used to identify the file/threat. An administrator can click the hash to perform a Google search of known occurrences.

MD5: The 128 cryptographic hash used to identify the file/threat. An administrator can click the hash to perform a Google search of known occurrences.

Download File: Allows an administrator to download the file for further evaluation and testing.

Cylance Score: A score of 1 (limited) -100 (high) is assigned by Cylance based on threat attributes.

AV Industry: Determines if third-party anti-virus engines identify the file as a threat by checking the virustotal.com index.

Search Google: Searches Google for the hashes and filename for more information about the file/threat.

There may be files that are incorrectly identified as threats within an environment. Administrators can add them to the global safe list to prevent them from being quarantined. Any file that is quarantined before being safe-listed returns to its original location.

To safe list a file:

1. In the console, click the Protection tab.

2. Under Protection, check the threat to be safe-listed and then click Safe.

3. From the Action Confirmation pop-up, select a file Category from the drop-down menu. This helps with file/threat classification.

4. Populate a Reason for the safe-listing. This provides visibility across the environment.
5. Click Yes to confirm safe-listing.

An administrator may proactively quarantine a file from targeting their devices by adding it to the global quarantine list.

To globally quarantine a file:

1. In the console, click the Protection tab.

2. Under Protection, check the threat to be safe-listed and then click Global Quarantine.

3. In the Action Confirmation pop-up, populate the Reason for the quarantine. This helps provide visibility to other administrators and zone managers.
4. Click Yes to confirm Global Quarantine.

The Dell Threat Defense installer is available directly within the tenant. For steps on how to download Dell Threat Defense, reference How to Download Dell Threat Defense.

In order to install Dell Threat Defense on a device, a valid installation token must be obtained from tenant. For steps on how to obtain an installation token, reference How to Obtain an Installation Token for Dell Threat Defense.

By default, devices contain limited logging for Dell Threat Defense. It is highly recommended to enable verbose logging on a device before troubleshooting or contacting Dell Data Security ProSupport. For more information, reference Dell Data Security International Support Phone Numbers. For more information about how to enable verbose logging, reference How to Enable Verbose Logging in Dell Threat Defense.

Devices are not automatically removed from the Dell Threat Defense console during uninstall. An administrator must manually remove the device from the tenant console. For more information, reference How to Remove a Device from the Dell Threat Defense Administration Console.

Provides an executive summary of an organization’s Dell Threat Defense usage, from the number of zones and devices, to the percentage of devices covered by Auto-Quarantine, Threat Events, Agent versions, and Offline Days for devices.

Zones: Displays the number of zones in the organization.

Devices: Displays the number of devices in the organization. A device is an endpoint with a registered Threat Defense Agent.

Policies: Displays the number of policies that are created in the organization.

Files Analyzed: Displays the number of files analyzed in the organization (across all devices in the organization).

Threat Events: Displays a bar chart with Unsafe, Abnormal, and Quarantined threat events, grouped by day, for the last 30 days. Hovering over a bar in the chart displays the total number of threat events that are reported on that day.

Threats are grouped by the Reported On date, which is when the Console received information from the device about a threat. The Reported On date may differ from the actual event date if the device was not online at the time of the event.

Devices - Dell Threat Defense Agent Versions: Displays a bar chart representing the number of devices running a Threat Defense Agent version. Hovering over a bar in the chart displays the number of devices running that specific Threat Defense Agent version.

Offline Days: Displays the number of devices that have been Offline for a range of days (from 0-15 days, up to 61+ days). Also displays a bar chart color-coded with each range of days.

Devices - Dell Threat Defense Agent Versions: Displays a bar chart representing the number of devices running a Threat Defense Agent version. Hovering over a bar in the chart displays the number of devices running that specific Threat Defense Agent version.

The Threat Event Summary Report shows the quantity of files that are identified in two of Cylance’s threat classifications: malware and PUPs (potentially unwanted programs) and includes a breakdown to specific subcategory classifications for each family. In addition, the Top 10 lists File Owners and Devices with Threats display threat event counts for the Malware, PUPs, and Dual Use threat-families.

Total Malware Events: Displays the total number of malware events that are identified in the organization.

Total PUPs Events: Displays the total number of PUP events that are identified in the organization.

Unsafe/Abnormal Malware Events: Displays the total number of Unsafe and Abnormal malware events that are found in the organization.

Unsafe/Abnormal PUP Events: Displays the total number of Unsafe and Abnormal PUP events that are found in the organization.

Malware Event Classifications: Displays a bar chart with each type of malware classification for threat events that are found on devices in the organization. Hovering over a bar in the chart displays the total number of malware events that are found for that classification.

PUP Event Classifications: Displays a bar chart with each type of Potentially Unwanted Program (PUP) classification for threat events that are found on devices in the organization. Hovering over a bar in the chart displays the total number of PUP events that are found for that classification.

Top 10 File Owners with the Most Threat Events: Displays a list of the top 10 file owners who have the most threat events. This widget displays events from all Cylance file-based threat families, not just Malware or PUP events.

Top 10 Devices with the Most Threat Events: Displays a list of the top 10 devices that have the most threat events. This widget displays events from all Cylance file-based threat families, not just Malware or PUP events.

The Device Summary Report shows multiple device-centric measures of importance. Auto-Quarantine Coverage reveals threat prevention coverage and can be used to show progress. Devices - Threat Defense Version Stats can identify older Threat Defense Agents. Offline Days may indicate devices that are no longer checking in to the Threat Defense Console and are candidates for removal.

Total Devices: Displays the total number of devices in the organization. A device is an endpoint with a registered Threat Defense Agent.

Auto-Quarantine Coverage: Displays the number of devices with a policy that has both Unsafe and Abnormal selected for Auto-Quarantine; these devices are considered Enabled. Disabled devices are assigned to a policy that has one or both of these options disabled. The pie chart displays the percentage of devices that are assigned to a policy with Auto-Quarantine disabled for Unsafe, Abnormal, or both.

Devices - Dell Threat Defense Agent Versions: Displays a bar chart representing the number of devices running a Threat Defense Agent version. Hovering over a bar in the chart displays the number of devices running that specific Threat Defense Agent version.

Offline Days: Displays the number of devices that have been Offline for a range of days (from 0-15 days, up to 61+ days). Also displays a bar chart color-coded with each range of days.

The Threat Events Report provides data for threat events that are found in the organization. Threats are grouped by the Reported On date, which is when the Console received information from the device about a threat. The Reported On date may differ from the actual event date if the device was not online at the time of the event.

# of Threat Events: Displays a bar chart displaying threat events reported in the organization. Hovering over a bar in the chart displays the total number of threat events that are reported on that day. The bar chart displays the last 30 days.

Threat Events Table: Displays threat event information.

The Device Report shows you how many devices you have for an operating system family (Windows, and macOS).

# of Devices by OS: Displays a bar chart with devices that are organized by major operating system groups (Windows and macOS). Hovering over a bar in the chart displays the total number of devices in that operating system group.

Devices Table: Displays a list of device names, and device information, for devices in the organization.

As an added layer of security, a Dell Threat Defense administrator can force Threat Defense device’s to require a password to uninstall the application. For more information, reference How to Add or Remove an Uninstall Password in Dell Threat Defense.

The base configuration only has the initial purchaser listed as an administrator to the Dell Threat Defense console. For more information, reference How to Add Users to the Dell Threat Defense Administration Console.

Device policies are essential in the functionality of Dell Threat Defense. The base configuration has advanced threat prevention features turned off in the "default" policy. It is important to modify the "default" policy or create a new policy before deploying Threat Defense. For more information, reference How to Modify Policies in Dell Threat Defense.

The Dell Threat Defense console offers an easy way to generate a report on the status of threats in an environment. For more information, reference How to Generate Reports in Dell Threat Defense.

The base configuration for the Dell Threat Defense console automatically updates devices to the latest build. A Threat Defense Administrator can optionally deploy builds to test and pilot zones before production. For more information, reference How to Configure Updates in Dell Threat Defense.