Defend, detect, deploy: A live journey through EDR’s power against ransomware

Currently there is no automatic isolation. What is possible is to set up notifications. ThreatDown has an agent that generally detects and remediates most infections. Suspicious activity is a rare type of zero-day event. Notifications allow users to react in a timely manner. If no one on your team is available to do go into the threat, ThreatDown has MDR and a stock team available to help with a guided threat hunting process or to fully manage the threat hunting. So ThreatDown has options for those users who may not be able to get directly into the console or be available 24/7 to protect.

The panic button is the agent. The agent provides all the information you need. The end user shouldn't even panic. When people panic, they make the wrong decisions. ThreatDown wants to provide enough information through notifications or through the console that no one ever has to panic. This is one of the reasons why ThreatDown has user isolation.  The solution gives the user enough information and time to take care of something, and the agent does half the work in that situation. When it comes to remediation, the goal is to keep everybody calm and allow people to use the agent and the console to protect themselves without starting a fire in the organization.

The appearance of the agent depends on the policy settings. If you allow the end user to open the agent, they basically get options to scan and they get red pop-up notifications if something is blocked. Let's say a user is using DNS protection and a website is blocked, they get a little pop-up that says you can't go to that site. 

It is a very simple and small agent that is designed not to overwhelm users and not to panic them. With simple policy settings, ThreatDown gives users options on what this interface looks like and what's visible to them. If ThreatDown e.g. completely blocks them from seeing the agent, there will be a little ThreatDown logo visible in the bottom right corner. That indicates it is protecting the end user and the console is getting all the information.

TeamViewer with ThreatDown (powered by Malwarebytes) is not an XDR product. It will do similar things but will probably also be complementary in some ways. It is a non-conflicting agent. This means that ThreatDown will work alongside whatever protection the user has.  So, if there is a need to have two protections, users can put the ThreatDown agent on any machine with any security product and it will work in parallel. ThreatDown will not duplicate everything that ESET does, just as ESET will not duplicate things from ThreatDown. Both products will complement each other in the best possible way.

There are three main ways that ransomware gets in. Those three things haven't changed much in the last five to six years. TeamViewer has long been known for secure remote access. If you have TeamViewer Remote Access in place, you also have patching capabilities. 

The second way that organizations get hit with ransomware is through vulnerabilities. If it's a known vulnerability, that means there's a patch out there for users and TeamViewer patching can be used to fix it. 

If it's an unknown vulnerability, a zero-day impact, that's where ThreatDown really comes in. 

Third there’s phishing: While ThreatDown is not an email security solution, the main way that phishing emails end up infecting users' PCs is through malicious downloads/payloads or infected websites, ThreatDown protects against both. Combining TeamViewer with ThreatDown creates a truly robust security platform.