I followed the remediation steps, how do I verify the footholds have been removed?

If you remediated a host and want to verify the reported footholds are no longer present,** you can use the provided host specific link from the incident report to view in the Huntress console.

From the host dashboard, you can view when the host last checked in (LAST SEEN) and last surveyed (LAST SURVEY).

To view the footholds, click on "Autoruns" on the left-hand side of the page then select the "Malicious" tab. The items that appear show which footholds Huntress has flagged/reported as malicious that are still presently on the host. 

Note: Because the agent scans at regular intervals and sends the data to the cloud for analysis, it may take a few minutes for the console to reflect that the malicious item(s) has/have been removed.

** Remember that Huntress specifically looks for malware that auto-starts at boot/user login. Depending on the malware, there may be other files that do not auto-start and would therefore not be seen by Huntress. That is why we typically recommend wiping the host and restoring from backup when malware is found.

Still need help? Contact Us Contact Us