Why is an incident still active if I remediated?

On occasion you may notice an incident is in the "active" state when you thought it had been remediated. These usually occur with two groups of persistence mechanisms: User Registry Values and Services/Scheduled Tasks.

User Registry Values

User registry values are the most common to be found in this "active" state after remediation. The reason for this is how we handle user roaming profiles. We have had issues in the past with footholds being remediated and then a roaming profile would re-add the foothold. As such, we don’t update the user specific data until we can verify the user’s profile is active (i.e., loaded because the user is currently logged in). Once Huntress verifies the user's profile is loaded and the foothold has been removed, it will be reflected in Huntress. This is why we add a note about having the user logged in when removing user specific registry values.

Services/Scheduled Tasks

Remediated services and scheduled tasks appearing as "active" are much less common, but do occur occasionally. There are instances where Windows will mark some a task or service for deletion and remove the task /service from the GUI. From the user's perspective it looks like the task/service has been removed, however, it is technically still present. These tasks/services marked for deletion will be removed when the system reboots. If you believe a service or scheduled task has been remediated, reboot the system if you can and it should be removed from Huntress the next time the host checks-in.

Still need help? Contact Us Contact Us