Does the organization need to do a healthcheck in the environment?

Are certain endpoints being repeatedly attacked?

Is the organization being attacked by this external entity repeatedly?

Do ports need to be blocked or opened on the firewall?

Does a risk assessment need to happen in the environment?

Isolate the endpoint with a Quarantine Firewall policy

Blacklist the IRC channel IP

Blacklist the endpoint IP

Isolate the endpoint with an application control policy

Throughput

Bandwidth

Link speed

Number of users

ATP: Email

ATP: Endpoint

ATP: Network

ATP: Roaming

Protect

Identify

Respond

Detect

8446

8081

8014

1433

Create a unique Cynic account to provide to ATP

Create a unique Symantec Messaging Gateway account to provide to ATP

Create a unique Symantec Protection Manager (SEPM) administrator account to provide to ATP

Create a unique Email Security.cloud portal account to provide to ATP

To determine the best plan of action for cleaning up the infection

To isolate infected computers on the network and remediate the threat

To gather threat artifacts and review the malicious code in a sandbox environment

To access the current security plan, adjust where needed, and provide reference materials in the event of a similar incident

The search expired after one hour

10 endpoints are offline

The search returned 0 results on 10 endpoints

10 endpoints restarted and cancelled the search

Check for the file hash for each detection

Isolate a system and collect a sample

Submit the hash to Virus Total

Check of the threats are downloaded from the same domain or IP by looking at incidents