How to Analyze Dell Endpoint Security Suite Enterprise and Threat Defense Endpoint Status

Summary: Learn about how to analyze endpoint statuses in Dell Endpoint Security Suite Enterprise and Dell Threat Defense using these instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Note:

Dell Endpoint Security Suite Enterprise and Dell Threat Defense endpoint statuses can be pulled from a specific endpoint for in-depth review of threats, exploits, and scripts.

Affected Products:

  • Dell Endpoint Security Suite Enterprise
  • Dell Threat Defense

Affected Platforms:

  • Windows
  • Mac
  • Linux

Dell Endpoint Security Suite Enterprise or Dell Threat Defense administrators may access an individual endpoint to review:

  • Malware Contents
  • Malware State
  • Malware Type

An administrator should only perform these steps when troubleshooting why the advanced threat prevention (ATP) engine misclassified a file. Click Access or Review for more information.

Access

Access to malware information varies between Windows, macOS, and Linux. For more information, click the appropriate operating system.

Windows

By default, Windows does not record in-depth malware information.

  1. Right-click the Windows start menu and then click Run.
    Run
  2. In the Run UI, type regedit and then press CTRL+SHIFT+ENTER. This runs the Registry Editor as admin.
    Run UI
  3. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Cylance\Desktop.
  4. In the left pane, right-click Desktop and then select Permissions.
    Permissions
  5. Click Advanced.
    Advanced
  6. Click Owner.
    Owner tab
  7. Click Other users or groups.
    Other users or groups
  8. Search for your account in the group and then click OK.
    Account selected
  9. Click OK.
    OK
  10. Ensure that your group or username has Full Control checked and then click OK.
    Checking for Full Control selection
    Note: In the example, DDP_Admin (step 8) is a member of the Users group.
  11. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value.
    New DWORD
  12. Name the DWORD StatusFileEnabled.
    StatusFileEnabled
  13. Double-click StatusFileEnabled.
    Edit DWORD
  14. Populate Value data with 1 and then press OK.
    Updated DWORD
  15. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value.
    New DWORD
  16. Name the DWORD StatusFileType.
    StatusFileType
  17. Double-click StatusFileType.
    Edit DWORD
  18. Populate Value data with either 0 or 1. Once Value data has been populated, press OK.
    Updated DWORD
    Note: Value data choices:
    • 0 = JSON file format
    • 1 = XML format
  19. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value.
    New DWORD
  20. Name the DWORD StatusPeriod.
    StatusPeriod
  21. Double-click StatusPeriod.
    Edit DWORD
  22. Populate Value data with a number ranging from 15 to 60 and then click OK.
    Updated DWORD
    Note: The StatusPeriod is how often the file is written.
    15 = 15 second interval
    60 = 60 second interval
  23. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click String Value.
    New String
  24. Name the String StatusFilePath.
    StatusFilePath
  25. Double-click StatusFilePath.
    Edit String
  26. Populate Value data with the location to write the status file to and then click OK.
    Edited string
    Note:
    • Default path: <CommonAppData>\Cylance\Status\Status.json
    • Example path: C:\ProgramData\Cylance
    • A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor.

macOS

In-depth malware information is in the Status.json file at:

/Library/Application Support/Cylance/Desktop/Status.json
Note: A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor.

Linux

In-depth malware information is in the Status.json file at:

/opt/cylance/desktop/Status.json
Note: A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor.

Review

The status file’s Contents include detailed information about multiple categories including Threats, Exploits, and Scripts. Click the appropriate information to learn more about it.

Contents

Status file contents:

snapshot_time The date and time the Status information was collected. The date and time are local to the device.
ProductInfo
  • version: Advanced Threat Prevention Agent version on the device
  • last_communicated_timestamp: Date & time of the last check for an Agent Update
  • serial_number: Installation Token used to register the Agent
  • device_name: Name of the device the Agent is installed on
Policy
  • type: Status of whether the Agent is Online or Offline
  • id: Unique identifier for the policy
  • name: Policy Name
ScanState
  • last_background_scan_timestamp: Date & time of the last Background Threat Detection scan
  • drives_scanned: List of drive letters scanned
Threats
  • count: The number of threats found
  • max: The maximum number of threats in the Status file
  • Threat
    • file_hash_id: Displays the SHA256 hash information for the threat
    • file_md5: The MD5 hash
    • file_path: The path where the threat was found. Includes the file name
    • is_running: Is the threat currently running on the device? True or false
    • auto_run: Is the threat file set to run automatically? True or false
    • file_status: Displays the current state of the threat, like Allowed, Running, or Quarantined. See the Threats: FileState table
    • file_type: Displays the type of file, like Portable Executable (PE), Archive, or PDF. See the Threats: FileType table
    • score: Displays the Cylance Score. The score that is displayed in the Status file ranges from 1000 to -1000. In the Console, the range is 100 to -100
    • file_size: Displays the file size, in bytes
Exploits
  • count: The number of exploits found
  • max: The maximum number of exploits in the Status file
  • Exploit
    • ProcessId: Displays the process ID of the application that is identified by Memory Protection
    • ImagePath: The path where the exploit originates from. Includes the file name
    • ImageHash: Displays the SHA256 hash information for the exploit
    • FileVersion: Displays the version number of the exploit file
    • Username: Displays the name of the user who was logged in to the device when the exploit occurred
    • Groups: Displays the group the logged in user is associated with
    • Sid: The Security Identifier (SID) for the logged in user
    • ItemType: Displays the exploit type, which relates to the Violation Types
    Note:
    • State: Displays the current state of the exploit, like Allowed, Blocked, or Terminated
    Note: Refer to the Exploits: State table.
    • MemDefVersion: The version of Memory Protection used to identify the exploit, typically the Agent version number
    • Count: The number of times the exploit attempted to run
Scripts
  • count: The number of scripts run on the device
  • max: The maximum number of scripts in the Status file
  • Script
    • script_path: The path where the script originates from. Includes the file name
    • file_hash_id: Displays the SHA256 hash information for the script
    • file_md5: Displays the MD5 hash information for the script, if available
    • file_sha1: Displays the SHA1 hash information for the script, if available
    • drive_type: Identifies the type of drive that the script originated from, like Fixed
    • last_modified: The date and time the script was last modified
    • interpreter:
      • name: The name of the script control feature that identified the malicious script
      • version: The version number of the script control feature
    • username: Displays the name of the user who was logged in to the device when the script was launched
    • groups: Displays the group the logged in user is associated with
    • sid: The Security Identifier (SID) for the logged in user
    • action: Displays the action that is taken on the script, like Allowed, Blocked, or Terminated. See the Scripts: Action table

Threats

Threats have multiple numerical-based categories to be deciphered in File_Status, FileState, and FileType. Reference the appropriate category for the values to be assigned.

File_Status

The File_Status field is a decimal value calculated based on the values that are enabled by FileState (see the table in the FileState section). For example, a decimal value of 9 for file_status is calculated from the file being identified as a threat (0x01) and the file has been quarantined (0x08).

file_status and file_type

FileState

Threats: FileState

None 0x00
Threat 0x01
Suspicious 0x02
Allowed 0x04
Quarantined 0x08
Running 0x10
Corrupt 0x20
FileType

Threats: FileType

Unsupported 0
PE 1
Archive 2
PDF 3
OLE 4

Exploits

Exploits have two numerical-based categories to be deciphered in both ItemType and State.

ItemType and State

Reference the appropriate category for the values to be assigned.

ItemType

Exploits: ItemType

StackPivot 1 Stack Pivot
StackProtect 2 Stack Protect
OverwriteCode 3 Overwrite Code
OopAllocate 4 Remote Allocation of Memory
OopMap 5 Remote Mapping of Memory
OopWrite 6 Remote Write to Memory
OopWritePe 7 Remote Write PE to Memory
OopOverwriteCode 8 Remote Overwrite Code
OopUnmap 9 Remote Unmap of Memory
OopThreadCreate 10 Remote Thread Creation
OopThreadApc 11 Remote APC Scheduled
LsassRead 12 LSASS Read
TrackDataRead 13 RAM Scraping
CpAllocate 14 Remote Allocation of Memory
CpMap 15 Remote Mapping of Memory
CpWrite 16 Remote Write to Memory
CpWritePe 17 Remote Write PE to Memory
CpOverwriteCode 18 Remote Overwrite Code
CpUnmap 19 Remote Unmap of Memory
CpThreadCreate 20 Remote Thread Creation
CpThreadApc 21 Remote APC Scheduled
ZeroAllocate 22 Zero Allocate
DyldInjection 23 DYLD Injection
MaliciousPayload 24 Malicious Payload
Note:
State

Exploits: State

None 0
Allowed 1
Blocked 2
Terminated 3

Scripts

Exploits have a single numerical-based category to be deciphered in Action.

Action

Scripts: Action

None 0
Allowed 1
Blocked 2
Terminated 3

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Threat Defense, Dell Endpoint Security Suite Enterprise
Article Properties
Article Number: 000124896
Article Type: How To
Last Modified: 30 May 2025
Version:  13
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.