Team: Huntress EDR
Product: Assisted Remediation
Environment: Huntress EDR
Summary: Assisted Remediation can be used to help automatically execute customized remediation actions provided by Huntress to help correct harm done by malware and return a machine to a healthy state. It is a best-effort tool that works by tasking the Agent to remove affected files.
Remediation Plans can include the following combinations
- Only Assisted Remediations
- Assisted & Manual Remediations
- Only Manual Remediations
- No Remediations
This article will focus on incidents with Only Assisted and Assisted & Manual Remediations. If Assisted Remediations are present, the option to manually resolve is not available.
Assisted Remediation automates the execution of customized remediation actions provided by Huntress. Upon approval, the Huntress Agent will perform the remediation actions on your behalf. Before Assisted Remediation, an IT support technician would manually perform the Remediation. Manual Remediation requires connecting to the host via your remote support utility (RMM/RDP/TV) and carrying out Huntress's remediation instructions. In some cases, it also required coordinating with the end-user. Now, on eligible steps in an incident, a button will appear in the Huntress Portal, allowing technicians to approve the automated actions required to remediate.
Assisted Remediation is best-effort tool, and it works by tasking the Agent to remove files. It does not perform a full “uninstall,” so after running Assisted Remediation, there may be artifacts left behind.
If the incident report includes a Process Insights detection (our EDR system), a reboot is highly recommended to ensure any related malicious processes are no longer running. Learn more about Process Insights here: Process Insights Overview In order for the incident to automatically resolve and the host to be automatically released the Huntress Portal will need to verify a reboot happened.
Each incident report will include recommendations on the course of action. We highly recommend reading through the Incident Report before approving Assisted Remediation. Some reports will recommend running the uninstaller for the potentially unwanted program or other software which may be able to remove more than Assisted Remediation. This will require Manual Remediation.
If an incident is reported where assisted Remediation is available, a button labeled "Review Remediation Plan" will be visible in the Huntress Portal. Please note, there are cases where Manual Remediation may be required.
After reviewing the remediation plan, the technician can choose to either approve or reject the listed steps for Remediation (Note: If you plan to complete the remediations manually there is no need to reject the report. The report will automatically close when Huntress detects the remediations have been completed on the next agent check-in.):
The Remediations tab shows whether each remediation is complete, in progress, not completed, or failed.
The following screenshots explain what the status icons represent under the "Remediations" tab
Once Remediation has been approved, but before it is complete, a spinning wheel will appear under the "Status" column. If the host is offline, this wheel will remain until the host comes back online and remediation can be performed.
Hover over the red exclamation to review the error message. If remediation failed and the "remaining footholds" counter is greater than 0, manual remediation may be necessary to resolve the incident.
To learn more about common reasons remediations fail, follow the link: Why is an Incident still Active if I remediated it?
If, for some reason, you don't approve of the remediation plan, it can be rejected. As part of the rejection process, you can provide details about why it isn't approved. This allows Huntress to conduct further investigation and make the suggested corrections and re-issue the incident report:
In lieu of or in addition to Assisted Remediations, Huntress may also recommend Manual Remediations. Completing each Manual Remediations is optional, but Huntress does require acknowledgement of your understanding in order to resolve the report. More on Manual Remediation
Certain incidents cannot be handled through Assisted Remediation alone and must be remediated by performing the tasks described in the incident report. Some cases where manual intervention is required:
- The Huntress ThreatOps Team has added additional tasks that need to be performed manually
- Malware that has modified system files and removing those files may leave the system unusable.
- Malware that has modified an existing registry value rather than creating a new value
- Malware has created a registry value in a user hive, and the user hasn't been logging on. See this article on remotely loading a user hive to remediate a user key.
NOTE: There are cases where the Remediation may fail, most often due to the file being in use. The agent will attempt to stop services and scheduled tasks, but it does not explicitly terminate processes. A running process may prevent the associated file from being removed; Manual Remediation is then required. In some cases, the agent might be waiting on a reboot in order to gain access to the malicious file.
UPDATE: In the past, organization-level admins could not approve Assisted Remediation. Permissions were updated in Q2 2022 based on MSP partner feedback, and now all organization admins can approve Assisted Remediations.
Please sign in to leave a comment.