Assisted Remediation automates the execution of customized remediation actions provided by Huntress. Upon approval, the Huntress Agent will perform the remediation actions on your behalf. Before Assisted Remediation, an IT support technician would manually perform the Remediation. Manual Remediation requires connecting to the host via your remote support utility (RMM/RDP/TV) and carrying out Huntress's remediation instructions. In some cases, it also required coordinating with the end-user. Now, on eligible steps in an incident, a button will appear in the Huntress Portal, allowing technicians to approve the automated actions required to remediate.
Assisted Remediation is best-effort tool, and it works by tasking the Agent to remove files. It does not perform a full “uninstall,” so after running Assisted Remediation, there may be artifacts left behind.
Assisted Remediation will not reboot the host if a reboot is required.
Each incident report will include recommendations on the course of action. We highly recommend reading through the Incident Report before approving Assisted Remediation. Some reports will recommend running the uninstaller for the potentially unwanted program or other software which may be able to remove more than Assisted Remediation. This will require Manual Remediation.
If an incident is reported where assisted Remediation is available, a button labeled "Review Remediation Plan" will be visible in the Huntress Portal. Please note, there are cases where manual Remediation may be required.
After reviewing the remediation plan, the technician can choose to either approve or reject the listed steps for Remediation:
The Remediations tab shows whether each remediation is complete, in progress, not completed, or failed.
The following screenshots explain what the status icons represent under the "Remediations" tab
Once Remediation has been approved, but before it is complete, a spinning wheel will appear under the "Status" column. If the host is offline, this wheel will remain until the host comes back online and remediation can be performed.
Hover over the red exclamation to review the error message. If remediation failed and the "remaining footholds" counter is greater than 0, manual remediation may be necessary to resolve the incident.
To learn more about common reasons remediations fail, follow the link: Why is an Incident still Active if I remediated it?
If, for some reason, you don't approve of the remediation plan, it can be rejected. As part of the rejection process, you can provide details about why it isn't approved. This allows Huntress to conduct further investigation and make the suggested corrections and re-issue the incident report:
There are scenarios where Manual Remediation is the best course of action.
Certain incidents cannot be handled through Assisted Remediation at all. These incidents will display a red "x" on the "Review Remediation Plan" button and must be remediated by performing the tasks described in the incident report. Some cases where manual intervention is required:
- Malware that has modified system files and removing those files may leave the system unusable.
- Malware that has modified an existing registry value rather than creating a new value
- Malware has created a registry value in a user hive, and the user hasn't been logging on. See this article on remotely loading a user hive to remediate a user key.
NOTE: There are cases where the Remediation may fail, most often due to the file being in use. The agent will attempt to stop services and scheduled tasks, but it does not explicitly terminate processes. If the process is running, it may prevent the associated file from being removed; manual Remediation is required in these cases. In some cases the agent might be waiting on a reboot in order to gain access to the malicious file.