How enhanced remediation protects systems

Enhanced remediation monitors the behavior of unknown processes and backs up changes that they make to the system. If a monitored process exhibits malicious behavior, enhanced remediation stops the process, its children, and ancestors, and rolls back the changes that it made, restoring the system as close as possible to its original state before the process ran.

With enhanced remediation, you can allow unknown processes to run in your environment, without being delayed or blocked, until the process shows malicious behavior. Allowing unknown processes to run in a controlled manner also enables the Real Protect machine-learning system to collect behavioral information for further malware analysis and reputation improvements.

For ATP to provide the backup and restore functionality, you must enable these two options in the Adaptive Threat Protection Options policy:

  • Clean when reputation threshold reaches
  • Enable enhanced remediation
Note: If enhanced remediation is not enabled, ATP stops convicted processes, descendants, and ancestors, deletes the main module of convicted processes, removes references from the registry and objects such as WMI, scheduled tasks, and shortcuts. It doesn't roll back changes that the process made.

What does enhanced remediation monitor?

Enhanced remediation monitors processes with a reputation of Unknown (50) or lower, unless excluded from ATP scanning.

If a process' reputation drops to 50 or lower while running, enhanced remediation starts monitoring the process. The reputation for a process can change when the ATP scanner detects that an unknown or malicious DLL was loaded into the process or if the reputation at the TIE server changes to Unknown or Known Malicious. For example, if the scanner detects that a malicious DLL is loaded into a trusted process, and its reputation drops to 50 or lower, enhanced remediation deletes the DLL, rolling back the changes to the process.

Enhanced remediation doesn't monitor:

  • Processes with a reputation greater than 50
  • Process path or file name exclusions specified in the Threat Prevention On-Access ScanStandard exclusions settings
  • Trusted installers, if Scan trusted installers is disabled in the Threat Prevention On-Access Scan settings
  • Processes started from network locations
Note: If a monitored process starts a child process, enhanced remediation monitors that process even if its reputation is greater than 50 or it's excluded. The child process is not monitored if it's a trusted installer and Scan trusted installers is disabled.

How enhanced remediation works

If an unknown process is allowed to run based on other settings, enhanced remediation monitors the process and backs up changes that the process makes to the system, specifically:

  • All files that the process creates.
  • All files that the process changes or deletes (if the Monitor and remediate deleted and changed files option is enabled).
  • All changes that the process makes to non-file objects, such as registry items, Windows Task Scheduler, Windows Services, and WMI (Windows Management Instrumentation) triggers and filters.
Note: If Monitor and remediate deleted and changed files is disabled and the malicious process renames a file, ATP deletes the file, during remediation. The reason for this is that the rename operation is actually a file-delete, which enhanced remediation doesn't monitor, and a file-create, which enhanced remediation does monitor.

As it runs, the ATP scanner and Real Protect scanner inspect the process. After a limited period, if the scanners don't detect malicious behavior, enhanced remediation stops monitoring the process.

If the scanners detect malicious behavior, enhanced remediation:

  • Stops the process and rolls back the changes made by the convicted process.
  • Rolls back tracked changes made by any descendants (such as the child or grandchild) that the convicted process started that meet the criteria for monitoring.
  • Stops processes and rolls back changes for any ancestor (such as the parent or grandparent) of the convicted process that has a reputation of 50 or lower, unless they are considered critical processes.

For the convicted process and its family, enhanced remediation:

  • Deletes all files created by the processes.
  • Rolls back file changes made by the processes, if Monitor and remediate deleted and changed files is enabled.
  • Restores files deleted by the processes, if Monitor and remediate deleted and changed files is enabled.
  • Rolls back all changes that the processes made to non-file objects, such as registry items and Windows services.

ATP quarantines any files associated with the convicted process, so you can restore or clean.

If Observe mode is enabled, ATP reports the convicted process and the objects that would have been rolled back.

If the system restarts, enhanced remediation resumes any interrupted monitoring, backup, or rollback.

Enhanced remediation workflow



Enhanced remediation example

A process with a reputation of Unknown starts running on the system. Enhanced remediation starts monitoring the process and logging the changes that the process makes to the system. The process spawns several child processes, then encrypts 100 files. Real Protect observes the malicious behavior and recalculates the reputation of the process. When the reputation reaches Known Malicious, enhanced remediation stops the process and its descendants and ancestors, and rolls back all changes made to the system, including restoring the encrypted files.

Quarantine

When ATP performs the Clean action and enhanced remediation rolls back changes made by the convicted process, ATP quarantines objects associated with the convicted process, its ancestors, and descendants, including:

  • The file associated with convicted process itself
  • All objects that the processes created
  • All objects that the processes changed, if Monitor and remediate deleted and changed files is enabled
  • References to the process that ATP deleted from the registry

ATP doesn't quarantine objects that the convicted processes deleted. Instead, enhanced remediation restores them to their original locations on the system.

ATP places the objects in the Quarantine folder configured in the Threat Prevention Options settings.

Remediation backups and storage space considerations

Because backing up all file changes might consume significant disk space and negatively impact performance, by default, enhanced remediation backs up only files that the process creates. To also back up changed and deleted files, enable the Monitor and remediate deleted and changed files option. Enabling this option can increase the amount of disk space that monitoring consumes and negatively impact performance. With this option disabled, enhanced remediation can't roll back file changes and deletions. In addition, ATP deletes any files renamed by the malicious process.

Best practice: Disable Monitor and remediate deleted and changed files on server systems to reduce the disk space consumed by remediation backups.

ATP limits the amount of disk space that the remediation backups consume by purging the backups every 6 hours.

ATP provides remediation details in the Quarantine page of the Endpoint Security Client and in the activity log files on the client system (%ProgramData%\McAfee\Endpoint Security\Logs by default). ATP retains Story Graph details for up to 100 events for up to 90 days in the %ProgramData%\McAfee\Endpoint Security\ATP folder. See KB90859 for information on changing the event limit.

What happens when you disable enhanced remediation?

When you disable enhanced remediation:

  • All backed-up data and disk usage are deleted.
  • Because no backups are created, no rollback to previous states can happen.

Disabling Clean when reputation threshold reaches also disables enhanced remediation.

Even with enhanced remediation disabled, ATP stops the convicted process, its ancestors and descendants, and removes references to the convicted process from the registry and file objects, including registry keys, WMI, services, shortcuts, and scheduled tasks.