Why is an incident still active if I remediated? How do I verify the footholds have been removed?

After an incident has been remediated, Huntress may still show the incident as "active."

It may take the Huntress Dashboard up to 15 minutes to refresh the data and clear the incident. If the active incident has not cleared within 15 minutes, follow the troubleshooting steps below. 

On occasion, you may notice an incident is in the "active" state when you thought it had been remediated. These usually occur with two groups of persistence mechanisms: User Registry Values and Services/Scheduled Tasks.

User Registry Values

User registry values are the most common to be found in this "active" state after remediation. The reason for this is how we handle user roaming profiles. We have had issues in the past with footholds being remediated and then a roaming profile would re-add the foothold. As such, we don’t update the user specific data until we can verify the user’s profile is active (i.e., loaded because the user is currently logged in). Once Huntress verifies the user's profile is loaded and the foothold has been removed, it will be reflected in Huntress. This is why we add a note about having the user logged in when removing user specific registry values.

Services/Scheduled Tasks

Remediated services and scheduled tasks appearing as "active" are much less common, but do occur occasionally. There are instances where Windows will mark some a task or service for deletion and remove the task /service from the GUI. From the user's perspective it looks like the task/service has been removed, however, it is technically still present. These tasks/services marked for deletion will be removed when the system reboots. If you believe a service or scheduled task has been remediated, reboot the system if you can and it should be removed from Huntress the next time the host checks-in.

Manually Removing Services from the Registry

The Huntress Agent enumerates the registry to identify the services on the host. If a service is not present in the services manager, you can remove the service by editing the registry, removing the service key:

HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>

Manually Removing Scheduled Tasks

The Huntress Agent enumerates the scheduled tasks directory to identify the tasks. If a scheduled task is not present in the Task Scheduler, you can remove it by deleting the backing task file. Note, some tasks may be in a sub-folder.

%windir%\system32\tasks\<TaskName>

%windir%\system32\tasks\<TaskDir>\<TaskName>


Verifying that the Reported Footholds are No Longer Present.

If you remediated a host and want to verify the reported footholds are no longer present,** click the report subject line on the  list:

On the report page, click the Remaining Footholds tabs to view the footholds that were present at the time of the last survey:

Note: Because the agent scans at regular intervals and sends the data to the cloud for analysis, it may take a few minutes for the console to reflect that the footholds have been removed.

You can also view when the host last checked in (LAST SEEN) and last surveyed (LAST SURVEY) by clicking the Host to go to the agent view:

** Remember that Huntress specifically looks for malware that auto-starts at boot/user login. Depending on the malware, there may be other files that do not auto-start and would therefore not be seen by Huntress. That is why we typically recommend wiping the host and restoring from backup when malware is found.

Further questions/issues?

If you still need help, please use the "Contact Us" button below, or send an email to our help desk at support@huntress.io.

Still need help? Contact Us Contact Us