Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Remote Actions

            Modified on Wed, 03 Jan 2024 at 08:09 PM

            1 - Overview


                Remote actions can be carried out directly from the console, using on-board tools to isolate an endpoint, shut down an endpoint or kill a malicious process, for example....


            2 - Performing Nucleon remote actions


                

             In the Endpoint configuration window, the following information is displayed for each Endpoint

            • General information about the Endpoint,
            • History of actions carried out on the Endpoint,
            • Latest events linked to the triggering of Zero Trust rules on the Endpoint in question,
            • Metrics (CPU, RAM, etc.) relating to the Endpoint,

            It is also possible to perform remote operations as shown below:



               

                When a "Remote action" is requested, it will be executed the next time the agent is in contact with the server, the action then switches to "processing" mode and then to "done" mode once the action has been completed. 


            Note that the following events occur:

            • An "endpoint" notification email is sent at each stage of each action,
            • Remote actions are automatically deleted after thirty days.


            3- Available remote actions


            The Nucleon platform provides access to a range of remote actions:

            • Download file: download a file on the remote machine, the path must be specified,
            • Delete file: deletes a file on the remote machine, the path must be specified,
            • Dump process memory: retrieves the memory of a process, the process name must be specified (wildcard "*" can be used) or a PID. The request is executed on each process corresponding to the requested filter,
            • Kill process: terminates a process, the process name must be specified (wildcard "*" usable) or a PID. The request is executed on each process corresponding to the requested filter,
            • Isolate host: Enables or disables network access. The "network monitoring" option must be active on the policy. This option prevents lateral movement if an attack occurs,
            • Shutdown host: Turns the machine off or back on,
            • Export registry key: creates a registry export from the specified key, all underlying keys are exported,
            • System information file: creates a system information report based on "msinfo32",
            • Export event viewer: exports all event viewer evtx files,
            • List scheduled tasks: creates a CSV file of scheduled tasks present on the machine,
            • Download Nucleon logs: downloads agent logs,
            • Restart Nucleon agent: restarts the Nucleon agent,
            • Reset cache: resets the agent cache, to be used when requested by support.


             

             

            4- Example of remote isolation of an endpoint 


                                                   


            You can add several actions in succession by clicking on the plus:

             


             


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0