How Threats Are Managed in Dell Endpoint Security Suite Enterprise

Figure 2: (English Only) Analysis Phase

Once a threat has been detected, Advanced Threat Protection classifies:

If a threat was found during the detection phase, then a local threat score is assigned.

If the endpoint is connected and online, the hash value of the threat is sent to the cloud. If the cloud threat score differs from the local threat score, the cloud threat score is relayed to the endpoint, and the cloud threat score overwrites the local threat score.

If the auto-upload policy is enabled, then the threat is uploaded to the Cylance Tenant.

Once a threat score is assigned, the data is given an unsafe or abnormal attribute and then Advanced Threat Protection moves into the Remediation Phase.

Figure 3: (English Only) Remediation Phase

Once a threat score and classification has been assigned, Advanced Threat Protection determines:

Should the threat be safe-listed? If so, the file hash is added to the endpoint and no further action is taken on the file.

If the threat is not safe-listed, then Advanced Threat Protection checks if the Auto Quarantined policy is enabled. If Auto Quarantine is enabled, then the threat is quarantined.

If auto quarantine is not enabled, then a check is done to determine if the file has been manually set to quarantine by the DDP Administrator. If the threat is set for quarantine, then file hash is added to endpoint's local database and then the file is quarantined.

If the threat is not safe-listed or quarantined, then an alert is sent to the console for DDP Administration visibility and potential action.