All Huntress data is archived and can be classified at any time. When a threat is found that was not previously seen, the team will search for this threat on all endpoints, including the archived data from offline or decommissioned endpoints.
When one of our Security Analyst categorizes a new malicious (or potentially malicious) threat the entire Huntress database will be searched (including archived data) to identify whether the threat is present on other endpoints.
Investigations utilize the most recent survey received from an agent, regardless of when it was received. The analysts will then retroactively send reports on all endpoints with the identified threat.
If you receive an incident report for a host that has been offline or If the host has been decommissioned you can remove it from Huntress (which will also close this incident) by following the instructions found here: Uninstalling the Huntress Agent
You can also request that we manually close the report by contacting us at: support@huntress.io