Using Assisted Remediation
Assisted Remediation automates the execution of customized remediation actions provided by Huntress. Upon approval, the Huntress Agent will perform the remediation actions on your behalf. Before Assisted Remediation, an IT support technician would manually perform the Remediation. Manual Remediation requires connecting to the host via a remote support utility and carrying out Huntress's remediation instructions. In some cases, it also required coordinating with the end-user. Now, on eligible steps in an incident, a button will appear in the Huntress Portal, allowing technicians to approve the automated actions required to remediate.
Assisted Remediation is best-effort, and it works by tasking the Agent to remove files. It does not perform a full “uninstall,” so after running Assisted Remediation, the program's components could be left behind. Assisted Remediation aims to remove the persistence mechanism/scheduled task footholds that cause the application to auto-start. Once these persistence mechanisms are gone, the Agent will consider the incident resolved.
Assisted Remediation will not reboot the host if a reboot is required.
Each incident report will include recommendations on the course of action. We highly recommend reading through the Incident Report before approving Assisted Remediation. Some reports will recommend running the uninstaller for the potentially unwanted program or other software which may be able to remove more than Assisted Remediation. This will require Manual Remediation.
If an incident is reported where assisted Remediation is available, a button labeled "Review Remediation Plan" will be visible in the Huntress Portal. Please note, there are cases where manual Remediation may be required.
After reviewing the remediation plan, the technician can choose to either approve or reject the listed steps for Remediation:
The following screenshots explain what the status icons represent under the "Remediations" tab
Once Remediation has been approved, but before it is complete, a spinning wheel will appear under the "Status" column. If the host is offline, this wheel will remain until the host comes back online and remediation can be performed.
If, for some reason, you don't approve of the remediation plan, it can be rejected. As part of the rejection process, you can provide details about why it isn't approved. This allows Huntress to conduct further investigation and make the suggested corrections and re-issue the incident report:
There are scenarios where Manual Remediation is the best course of action.
Certain incidents cannot be handled through Assisted Remediation at all. These incidents will display a red "x" on the "Review Remediation Plan" button and must be remediated by performing the tasks described in the incident report. Some cases where manual intervention is required:
- Malware that has modified system files and removing those files may leave the system unusable.
- Malware that has modified an existing registry value rather than creating a new value
NOTE: There are cases where the Remediation may fail, most often due to the file being in use. The agent will attempt to stop services and scheduled tasks, but it does not explicitly terminate processes. If the process is, it may prevent the associated file from being removed; manual Remediation is required in these cases.