Knowledgebase
Knowledgebase: Management
How to view files that were sand-boxed or blocked by defense+ and the requests have expired
June 09 2011 13:01
By default 'Sandbox' requests expire after 20 seconds. The 'Defense+' settings expire by default after 120 seconds. If after this time you need to check what files have been blocked or sand-boxed you have two options at your disposal:

1) To review the 'History' logs, by selecting 'History\Request history' from the CESM menu. That menu option will bring the 'Request history' tab where you can review all the past actions, notifications and requests made by the endpoints to the CESM Server. [fig 1]



2) The second way to review sand-boxed and blocked applications is to create a 'Discovery Data' log for the 'Defense+'. To do this follow the next few steps:

a) Create a new sequence by accessing the 'Sequence Manager' tab and selecting the 'Add...' button. Add the 'Discovery Data' action with 'CIS – Defense+ Log' as profile. You have the options to restrict the log to a time interval by selecting the appropriate options under 'Input parameters' [fig. 2]. Now, select 'Save, Create task, Close' to create a new task. Now send the task to the endpoint by selecting 'Save, Execute, Close'.



b) Open the 'Discovery Profiles' tab and select the 'CIS – Defense+ Log' profile from the list of profiles. Now select the most recent log for the PC in question and click on the '…' button in the 'Result' window to open the 'Defense+ Log' window. [fig. 3].



Once identified the applications you can either continue blocking/sandbox-ing them or add them as 'Trusted Applications'.

(376 vote(s))
Helpful
Not helpful

Comments (0)