Why is an incident still active if I remediated?

On occasion you may notice an incident is in the "active" state when you thought it had been remediated. These usually occur with two groups of persistence mechanisms: User Registry Values and Services/Scheduled Tasks.

User Registry Values

User registry values are the most common to be found in this "active" state after remediation. The reason for this is how we handle user roaming profiles. We have had issues in the past with items being remediated and then a roaming profile would re-add the item. As such, we don’t update the user specific data until we can verify the user’s profile is active (i.e., loaded because the user is currently logged in). If we can verify the profile is loaded and the item has been removed, it will be reflected in Huntress. This is why we add a note about having the user logged in when removing user specific registry values.

Services/Scheduled Tasks

Remediated services and scheduled tasks appearing as "active" are much less common, but do occur occasionally. Windows will mark some items for deletion and remove the item from the GUI. From the user's perspective it looks like the item has been removed, however, it is technically still present. These items marked for deletion will be removed when the system reboots. If you believe a service or scheduled task has been remediated, reboot the system if you can and it should be removed from Huntress the next time the host checks-in.

Still need help? Contact Us Contact Us