The rules that are set in the containment profile section identifies certain applications/files in the device.Such files will be listed under “Containment” menu in the Endpoint Manager. The containment provides a protected environment to run such unrecognized application.The advantage of running from the containment is, the application are not allowed to access the data on the remote machines.
1. Go to “Security Sub-Systems” > “Containment” menu. All the containment files will be listed here.
2. File details - The basic details of the file is available here.
a. File Info - The name, latest detected path, age, hash, version, and size of the files are displayed in 'file info'.
b. Device List - List of new activity generated during execution of the file is displayed in the device list.
3. Export - The details of the files are available in the tabular format in the .csv file.
It will download the .csv file of the particular file selected from the list.
4. Valkyrie Report - The complete behavior of the Unrecognised files will be analyzed in Valkyrie. Valkyrie tests unknown files with a range of static and dynamic behavioral checks to identify whether they are malicious or safe.
Download Valkyrie Report-The details of the file are downloaded as the report in the .pdf format
Check Valkyrie Report-The details of the file can be checked.
For example, for the unrecognized file 'emule.exe' the admin will check the Valkyrie report before rating it , to know the complete behavior of the unknown file.
Kill chain Report - If the Valkyrie report is not sufficient for the rating purpose the administrator can get the detailed information from the Kill chain report.
5. Change Rating
The 'Change Rating' button allows admin to manually set the file's rating as 'Trusted', 'Malicious' or 'Unrecognized'. The new rating will be sent to all endpoints.
For instance, If the 'Unrecognised' file locally generated good file then the admin might change the ratings of the file as 'Trusted '
6. Manage Record - The 'Record' button lets you hide, display or delete the file from the 'Containment' list
If the admin changed the ratings of the application as trusted then he can hide the file from the list or it can be deleted from the list if the file is no longer needed.