On-demand Manual User Initiated Connection

  1. User Initiated Event
  2. System Initiated User Feedback

As the name says, on-demand (at user's will), the user has control over when to connect or disconnect from GlobalProtect. Once connected to GlobalProtect, the user will see a 'disconnect' option to disconnect when needed. Under 'Connect-method' drop down, select 'On-demand (Manual user initiated. SensorView Manual Page 8 of 123 1. Device search (filter) allows a user to immediately begin typing to search for the device (over device ID, model, or custom label), while 2. Features allows for a user to search for a device based on its o Hardware capabilities: current-sensing, dimming-or-relay, occupancy, photocell, relay, switch, wireless.

  • Connect on Demand can only be checked if the Certificate Authentication field is set to Manual or Automatic. The Connect on Demand rules, defined by the Match Domain or Host and the On Demand Action fields. Always connect: iOS will always attempt to.
  • Because Chrome OS does not allow third-party applications to launch automatically, the GlobalProtect app for Chrome OS only supports on-demand connections. As a result, the end user has to launch the app and manually initiate a VPN connection to establish a VPN (tunnel) connection.

Mitigation Status

The Threat Event Logs screen in the console displays the status for the following tasks:

  • Threat mitigation

  • On-demand Scan (user-initiated and administrator-initiated)

  • Agent post-installation scan

User Initiated Event

This topic discusses Trend Micro recommended actions when tasks are not successfully carried out.

Task status

On-demand (manual user initiated connection)

Status

Task

Description and Recommended Actions

Statuses That Do Not Require Any Action

Mitigation in progress

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

Threat Mitigator received an event from a data source and is waiting for the agent to process the mitigation task.

Resolved threats: All threats resolved

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • User-initiated On-demand Scan

  • Post-installation scan

The agent has resolved all threats detected on the endpoint.

Resolved threats: Endpoint security software took action

Threat mitigation

Endpoint security software (such as OfficeScan) took a specific action on the infected file before the agent can take action. For a list of actions the security software can perform, refer to the documentation for the software.

Resolved threats: Threat no longer exists

Threat mitigation

A threat reported by the data source no longer exists at the time of cleanup. The threat may have been removed from the endpoint.

Resolved threats: Potential threat resolved

Threat mitigation

An item that has the potential of becoming a threat was confirmed as safe during cleanup.

Scanned endpoint: No threat found

  • Administrator-
    initiated On-demand Scan

  • User-initiated On-demand Scan

  • Post-installation scan

No threats were found on the endpoint.

  • The number of files scanned during the scan depends on the scan type. For details about scan types, see To configure On-demand Scan settings:.

Rollback successful

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

The agent successfully rolled back the mitigation action.

Statuses That Require An Action

Assessed endpoint: Manual cleanup needed

Threat mitigation

The agent detected threats in the endpoint during assessment but did not run cleanup because you have chosen to run cleanup manually.

On the Threat Management screen, click the Require post-assessment cleanup link. On the table at the lower section of the screen, select the endpoint and then click Run Cleanup.

No mitigation: Mitigation exception

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

The agent cannot perform the task because of a mitigation exception. For example, the endpoint’s IP address might be included in the mitigation exception list.

Check the threat detected on the endpoint. Consider removing the endpoint from the exception list if you want to run mitigation tasks on the endpoint, and then add the endpoint to the list again after all mitigation tasks have been completed.

  • Threat Discovery Appliance also has its own exception list. Threat Discovery Appliance monitors endpoints included in its exception list but does not send mitigation requests to Threat Mitigator.

Resolved threats: All selected threats resolved

User-initiated On-demand Scan

Threats that the user chose to resolve have been resolved. The user chose to leave other threats unresolved.

Check if there is a reason for not resolving the remaining threats (for example, the infected files are required to run the endpoint properly). For threats that you believe are safe to access, send threat samples to your support provider for analysis.

Scanned endpoint: No action performed on threats

User-initiated On-demand Scan

Users can manually select the threats to resolve. The user chose to leave all the detected threats unresolved.

Check if there is a reason for not resolving the threats (for example, the infected files are required to run the endpoint properly). For threats that you believe are safe to access, send threat samples to your support provider for analysis.

Unsuccessful: Mitigation timeout

Threat mitigation

The agent did not finish a task within a certain time period.

Actions:

  1. Collect debug logs from endpoints. For details, see Debug Logs.

  2. Send the logs to your support provider for analysis.

Unsuccessful: Cannot connect to endpoint

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

Threat Mitigator notified the agent to run a task. However, the agent was unreachable.

  • The agent is considered unreachable if unresponsive within 3 hours.

Verify the following:

  • The endpoint runs a supported operating system. .

  • The agent is installed and is currently up and running.

  • The endpoint is able to connect to the network.

  • There is a functional connection between Threat Mitigator and the agent.

Unsuccessful: Cannot run mitigation task on platform

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

The agent is running and can run mitigation tasks but the endpoint’s operating system does not support the mitigation task.

If the endpoint’s operating system supports On-demand Scan:

  • Try launching the scan from the Threat Management screen.

  • Instruct the user to run the scan directly on the endpoint.

For details about launching or running On-demand Scan, see Running On-demand Scan.

Unsuccessful: Incomplete task

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

There were pending tasks before a deliberate or unexpected restart of Threat Mitigator. Upon restart, Threat Mitigator was unable to resume the tasks.

Collect system logs and then send them to your support provider.

Unsuccessful: Not all threats resolved

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • User-
    initiated On-demand Scan

  • Post-installation scan

The agent was unable to resolve all threats.

Actions:

  • Review the threats listed in the Clean History tab in the Event Details screen. You can manually remove detected threats that you consider harmless.

  • Ask the user to run On-demand Scan again to resolve the threats.

  • If the threats cannot be resolved, collect debug logs from the endpoint. For details, see Debug Logs. Send the logs to your support provider for analysis.

Unsuccessful: Not all selected threats resolved

User-initiated On-demand Scan User's manual for motorola g plus 5th generation.

Some of the threats that the user chose to resolve were not resolved possibly because of errors in the On-demand Scan program or the agent. The user also chose to leave other threats unresolved.

Actions:

  1. Ask the user to run On-demand Scan again to resolve the threats.

  2. If the threats cannot be resolved, collect debug logs from the endpoint. For details, see Debug Logs. Send the logs to your support provider for analysis.

  3. Check if there is a reason for not resolving the threats the user chose not to resolve (for example, the infected files are required to run the endpoint properly). For threats that you believe are safe to access, send threat samples to your support provider for analysis.

Unsuccessful: Agent component problem

Threat mitigation

Components used by the agent will only be functional when the endpoint restarts.

Restart the endpoint.

Unsuccessful: Agent component error

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • User-
    initiated On-demand Scan

  • Post-installation scan

The agent cannot perform the task because a component used by the agent encountered an error.

Actions:

  1. Uninstall the agent, restart the endpoint, and then install the agent.

  2. If the same error occurs, collect debug logs from the endpoint. For details, see Debug Logs.

  3. Send the logs to your support provider for analysis.

Unsuccessful: Corrupted configuration file

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • User-
    initiated On-demand Scan

  • Post-installation scan

A configuration file required to run a task is corrupted.

Actions:

  1. Collect debug logs from endpoints. For details, see Debug Logs.

  2. Send the logs to your support provider for analysis.

Unsuccessful: Pattern not found

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

A custom pattern required to run a task is not available.

On the Threat Management screen, check the custom patterns currently available on Threat Mitigator. If the pattern does not exist and you have TMSP as an on-premise application, try to deploy the pattern from TMSP’s administrative console. If you have TMSP as a hosted service, contact your Trend Micro representative for help.

Unsuccessful: Cannot send scan query

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • User-
    initiated On-demand Scan

  • Post-installation scan

The agent cannot start a task because it cannot send scan queries to the Smart Protection Server or the Trend Micro Smart Protection Network.

If the task has started and the endpoint loses connection with Smart Protection Server and Smart Protection Network, it bypasses files requiring a scan query. Users can proceed to access the files.

Ensure that smart protection settings are correct and that there is a functional connection between the endpoint and Smart Protection Server or Smart Protection Network. For details, see Smart Protection Technology.

Rollback unsuccessful

  • Threat mitigation

  • Administrator-
    initiated On-demand Scan

  • Post-installation scan

The agent was unable to completely roll back files, registry keys, or services because the backup file does not exist or is corrupted.

To complete the roll back:

  1. Locate the Task ID for the mitigation task from the Event Details screen.

  2. Navigate to C:%WINDIR%PEAgentiRobotlogand check if the %TaskID% folder exists.

  3. On the %WINDIR%PEAgentiRobot folder, type the following command:

  4. HouseCallCLI.exe -RE -SID=%TaskID%

    • Navigate to the Event Details screen of each task to locate TaskID.

  5. If the above steps do not restore files, registry keys, or services, collect debug information from the endpoint. For details, see Debug Logs.

  6. Send the log files to your support provider for analysis.

See also:

System Initiated User Feedback