Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

How to Analyze Dell Endpoint Security Suite Enterprise and Threat Defense Endpoint Status

Summary: Endpoint statuses may be analyzed in Dell Endpoint Security Suite Enterprise and Dell Threat Defense using these instructions.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Symptoms

Note:

Dell Endpoint Security Suite Enterprise and Dell Threat Defense endpoint statuses can be pulled from a specific endpoint for in-depth review of threats, exploits, and scripts.


Affected Products:

  • Dell Endpoint Security Suite Enterprise
  • Dell Threat Defense

Affected Platforms:

  • Windows
  • Mac
  • Linux

Cause

Not applicable

Resolution

Dell Endpoint Security Suite Enterprise or Dell Threat Defense administrators may access an individual endpoint to review:

  • Malware Contents
  • Malware State
  • Malware Type

An administrator should only perform these steps when troubleshooting why the advanced threat prevention (ATP) engine misclassified a file. Click Access or Review for more information.

Access

Access to malware information varies between Windows, macOS, and Linux. For more information, click the appropriate operating system.

By default, Windows does not record in-depth malware information.

  1. Right-click the Windows start menu and then click Run.

Run

  1. In the Run UI, type regedit and then press CTRL+SHIFT+ENTER. This runs the Registry Editor as admin.

Run UI

  1. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Cylance\Desktop.
  2. In the left pane, right-click Desktop and then select Permissions.

Permissions

  1. Click Advanced.

Advanced

  1. Click Owner.

Owner tab

  1. Click Other users or groups.

Other users or groups

  1. Search for your account in the group and then click OK.

Account selected

  1. Click OK.

OK

  1. Ensure that your group or username has Full Control checked and then click OK.

SLN310044_en_US__9ddpkm1371i

Note: In the example, DDP_Admin (step 8) is a member of the Users group.
  1. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value.

New DWORD

  1. Name the DWORD StatusFileEnabled.

StatusFileEnabled

  1. Double-click StatusFileEnabled.

Edit DWORD

  1. Populate Value data with 1 and then press OK.

Updated DWORD

  1. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value.

New DWORD

  1. Name the DWORD StatusFileType.

StatusFileType

  1. Double-click StatusFileType.

Edit DWORD

  1. Populate Value data with either 0 or 1. Once Value data has been populated, press OK.

Updated DWORD

Note: Value data choices:
  • 0 = JSON file format
  • 1 = XML format
  1. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click DWORD (32-bit) Value.

New DWORD

  1. Name the DWORD StatusPeriod.

StatusPeriod

  1. Double-click StatusPeriod.

Edit DWORD

  1. Populate Value data with a number ranging from 15 to 60 and then click OK.

Updated DWORD

Note: The StatusPeriod is how often the file is written.
15 = 15 second interval
60 = 60 second interval
  1. At HKEY_LOCAL_MACHINE\Software\Cylance\Desktop, right-click the Desktop folder, select New, and then click String Value.

New String

  1. Name the String StatusFilePath.

StatusFilePath

  1. Double-click StatusFilePath.

Edit String

  1. Populate Value data with the location to write the status file to and then click OK.

Edited string

Note:
  • Default path: <CommonAppData>\Cylance\Status\Status.json
  • Example path: C:\ProgramData\Cylance
  • A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor.

In-depth malware information is in the Status.json file at:

/Library/Application Support/Cylance/Desktop/Status.json
 
Note: A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor.

In-depth malware information is in the Status.json file at:

/opt/cylance/desktop/Status.json
 
Note: A .json (JavaScript Object Notation) file can be opened in an ASCII text document editor.

Review

The status file’s Contents include detailed information about multiple categories including Threats, Exploits, and Scripts. Click on the appropriate information to learn more about it.

Status file contents:

snapshot_time The date and time the Status information was collected. The date and time are local to the device.
ProductInfo
  • version: Advanced Threat Prevention Agent version on the device
  • last_communicated_timestamp: Date & time of the last check for an Agent Update
  • serial_number: Installation Token used to register the Agent
  • device_name: Name of the device the Agent is installed on
Policy
  • type: Status of whether the Agent is Online or Offline
  • id: Unique identifier for the policy
  • name: Policy Name
ScanState
  • last_background_scan_timestamp: Date & time of the last Background Threat Detection scan
  • drives_scanned: List of drive letters scanned
Threats
  • count: The number of threats found
  • max: The maximum number of threats in the Status file
  • Threat
    • file_hash_id: Displays the SHA256 hash information for the threat
    • file_md5: The MD5 hash
    • file_path: The path where the threat was found. Includes the file name
    • is_running: Is the threat currently running on the device? True or false
    • auto_run: Is the threat file set to run automatically? True or false
    • file_status: Displays the current state of the threat, like Allowed, Running, or Quarantined. See the Threats: FileState table
    • file_type: Displays the type of file, like Portable Executable (PE), Archive, or PDF. See the Threats: FileType table
    • score: Displays the Cylance Score. The score that is displayed in the Status file ranges from 1000 to -1000. In the Console, the range is 100 to -100
    • file_size: Displays the file size, in bytes
Exploits
  • count: The number of exploits found
  • max: The maximum number of exploits in the Status file
  • Exploit
    • ProcessId: Displays the process ID of the application that is identified by Memory Protection
    • ImagePath: The path where the exploit originates from. Includes the file name
    • ImageHash: Displays the SHA256 hash information for the exploit
    • FileVersion: Displays the version number of the exploit file
    • Username: Displays the name of the user who was logged in to the device when the exploit occurred
    • Groups: Displays the group the logged in user is associated with
    • Sid: The Security Identifier (SID) for the logged in user
    • ItemType: Displays the exploit type, which relates to the Violation Types
    Note:
    • State: Displays the current state of the exploit, like Allowed, Blocked, or Terminated
    Note:
    • See the Exploits: State table
    • MemDefVersion: The version of Memory Protection used to identify the exploit, typically the Agent version number
    • Count: The number of times the exploit attempted to run
Scripts
  • count: The number of scripts run on the device
  • max: The maximum number of scripts in the Status file
  • Script
    • script_path: The path where the script originates from. Includes the file name
    • file_hash_id: Displays the SHA256 hash information for the script
    • file_md5: Displays the MD5 hash information for the script, if available
    • file_sha1: Displays the SHA1 hash information for the script, if available
    • drive_type: Identifies the type of drive that the script originated from, like Fixed
    • last_modified: The date and time the script was last modified
    • interpreter:
      • name: The name of the script control feature that identified the malicious script
      • version: The version number of the script control feature
    • username: Displays the name of the user who was logged in to the device when the script was launched
    • groups: Displays the group the logged in user is associated with
    • sid: The Security Identifier (SID) for the logged in user
    • action: Displays the action that is taken on the script, like Allowed, Blocked, or Terminated. See the Scripts: Action table

Threats have multiple numerical-based categories to be deciphered in File_Status, FileState, and FileType. Reference the appropriate category for the values to be assigned.

File_Status

The File_Status field is a decimal value calculated based on the values that are enabled by FileState (see the table in the FileState section). For example, a decimal value of 9 for file_status is calculated from the file being identified as a threat (0x01) and the file has been quarantined (0x08).

file_status and file_type

FileState

Threats: FileState

None 0x00
Threat 0x01
Suspicious 0x02
Allowed 0x04
Quarantined 0x08
Running 0x10
Corrupt 0x20

FileType

Threats: FileType

Unsupported 0
PE 1
Archive 2
PDF 3
OLE 4

Exploits have two numerical-based categories to be deciphered in both ItemType and State.

ItemType and State

Reference the appropriate category for the values to be assigned.

ItemType

Exploits: ItemType

StackPivot 1 Stack Pivot
StackProtect 2 Stack Protect
OverwriteCode 3 Overwrite Code
OopAllocate 4 Remote Allocation of Memory
OopMap 5 Remote Mapping of Memory
OopWrite 6 Remote Write to Memory
OopWritePe 7 Remote Write PE to Memory
OopOverwriteCode 8 Remote Overwrite Code
OopUnmap 9 Remote Unmap of Memory
OopThreadCreate 10 Remote Thread Creation
OopThreadApc 11 Remote APC Scheduled
LsassRead 12 LSASS Read
TrackDataRead 13 RAM Scraping
CpAllocate 14 Remote Allocation of Memory
CpMap 15 Remote Mapping of Memory
CpWrite 16 Remote Write to Memory
CpWritePe 17 Remote Write PE to Memory
CpOverwriteCode 18 Remote Overwrite Code
CpUnmap 19 Remote Unmap of Memory
CpThreadCreate 20 Remote Thread Creation
CpThreadApc 21 Remote APC Scheduled
ZeroAllocate 22 Zero Allocate
DyldInjection 23 DYLD Injection
MaliciousPayload 24 Malicious Payload
 
Note:

State

Exploits: State

None 0
Allowed 1
Blocked 2
Terminated 3

Exploits have a single numerical-based category to be deciphered in Action.

Action

Scripts: Action

None 0
Allowed 1
Blocked 2
Terminated 3

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Threat Defense, Dell Endpoint Security Suite Enterprise
Article Properties
Article Number: 000124896
Article Type: Solution
Last Modified: 20 nov 2023
Version:  12
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.