# Malware remediation and recovery, from one console. Contain infected endpoints, stop malicious activity, and recover affected files — from one console. ## Real-time malware response capabilities - Real-time malware response - Endpoint isolation - File quarantine - Rollback & recovery - Root cause analysis - MITRE ATT&CK visibility ## Malware removal is not the same as malware remediation. Basic malware removal usually focuses on deleting or quarantining a suspicious file. But once malware executes, the damage may already go beyond one file — child processes, abused system tools, modified configurations, persistence, and lateral movement attempts. ### Removal “Can we delete the file?” Single-file thinking. Treats every detection as an isolated event. Works on the artifact, not the incident. - Deletes or quarantines one file - Misses runtime, scripts, and process behavior - Leaves persistence, config changes, and lateral risk - No insight into how the attack started ### Remediation “Can we contain, undo, and prevent it from happening again?” Workflow thinking. Connects file, process, behavior, and root cause into a single response. - Contain endpoint · stop active behavior · quarantine artifacts - Recover affected files and reverse unwanted changes - Map the full attack chain with MITRE ATT&CK context - Harden policy from real incident insights > Malware Protection Plus moves teams from simple cleanup to **complete endpoint remediation** — containment, process termination, file quarantine, rollback, recovery, and root cause visibility, in one console. ## From detection to recovery — one malware response workflow. Seven coordinated stages that turn a single alert into a complete, defensible incident response. ### 01. [Detect](https://www.manageengine.com/malware-protection/malware-detection.html?remedition) Identify known, unknown, suspicious, and behavior-based malware activity. ### 02. Contain Isolate compromised endpoints to limit spread across the network. ### 03. Stop Terminate malicious processes and active attack behavior in real time. ### 04. Clean up Quarantine unsafe files and respond to related artifacts. ### 05. Recover Restore affected files and reverse unwanted changes where possible. ### 06. Investigate Review RCA, full attack chain, and MITRE ATT&CK mapping. ### 07. Harden Use incident insights to improve future protection policies. ## End-to-end malware analysis based on the MITRE ATT&CK framework. ### Isolate compromised endpoints before malware moves laterally. When an endpoint shows signs of active compromise, speed matters. Cut it off from the network to limit spread and reduce lateral movement risk — without losing visibility into the device. - Isolate compromised endpoints during active incidents - Limit malware spread across the network - Reduce lateral movement opportunities - Keep the endpoint visible for investigation and response - Support faster containment during high-risk malware events ### Stop malicious activity while it is still running. Modern malware does not always sit quietly as a file on disk. It executes through scripts, memory, trusted system tools, or chained processes that look normal in isolation. The priority is to stop the behavior before it causes more damage. - Terminate malicious processes - Stop suspicious process trees - Interrupt script-based and fileless activity - Detect ransomware-class encryption behavior - Respond to suspicious runtime activity before damage escalates **The file may be new. The behavior is not.** Runtime monitoring exposes malware by what it does, not just what it is called. ### Quarantine malicious files and prevent re-execution. After detection, unsafe files need to be contained so they cannot continue execution or trigger the same infection. Connect the file, the process, the behavior, and the root cause behind the attack — not just one isolated event. - Quarantine malicious and suspicious files - Prevent unsafe files from running again - Connect file-based detection with runtime activity - Support cleanup as part of a broader remediation workflow - Reduce repeated infections from the same threat source ### Recover affected files and reduce malware-driven downtime. Stopping the attack limits further damage. Recovery reduces business impact. Restore affected files to a safer previous state, reverse unwanted changes, and get users back to work faster. - Restore affected files where recovery is available - Reverse unwanted file changes caused by malware activity - Reduce downtime after malware or ransomware-class behavior - Support faster endpoint recovery after active compromise - Minimize manual restoration effort for IT and security teams **Containment stops the spread. Recovery reduces the impact.** ### Investigate the root cause, not just the alert. A remediated endpoint is not fully secure if the entry point remains unknown. Map the attack chain from initial execution, parent and child process relationships, suspicious files, attempted changes, MITRE ATT&CK techniques, and every response action taken. - Initial execution source and timeline - Parent and child process relationships - Suspicious files and affected processes - MITRE ATT&CK technique mapping - Response actions taken during remediation **Remediation fixes the endpoint.** Root cause analysis helps fix the weakness that let the attack happen. ## Built for real-world malware remediation and recovery scenarios. Five high-frequency response patterns that Malware Protection Plus is tuned to handle out of the box. ### 01. Ransomware-class behavior Detect suspicious encryption behavior, isolate affected endpoints, stop malicious processes, and restore affected files where possible to reduce operational impact. **Common signals:** - Mass file rename - Shadow copy delete - Ransom note staged - High entropy writes **Sample response trace:** - **Trigger:** Encryption rate >200 files / 30s - **Action 1:** Isolate endpoint `10.17.42.91` - **Action 2:** Terminate `svhost.exe` + 3 child processes - **Recover:** Roll back 147 files from snapshot - **RCA:** Mapped to MITRE T1486 ### 02. Fileless malware Identify suspicious script-based and in-memory activity, stop active processes, and investigate the process chain behind the attack. **Common signals:** - PowerShell encoded command - In-memory injection - Reflective DLL load - No disk artifact **Sample response trace:** - **Trigger:** EncodedCommand entropy 9.4 / 10 - **Action 1:** Kill `powershell.exe` + spawned child - **Action 2:** Block parent `winword.exe` macro path - **RCA:** Captured 12-step in-memory chain - **Harden:** Push policy block for macro → ps1 ### 03. Zero-day malware Respond to unknown malware based on behavior, not just signatures, and contain the endpoint while teams investigate the incident. **Common signals:** - Unsigned binary - Outbound to new domain - Credential dump pattern - Unknown hash **Sample response trace:** - **Trigger:** Behavior score 82 / 100 - **Action 1:** Isolate · permit analyst RDP only - **Action 2:** Quarantine `unknown.exe` (sha 55d8…) - **Inspect:** Live forensic capture queued - **Share:** Indicator pushed to fleet policy ### 04. Infected endpoint recovery Quarantine malicious files, stop active threats, and restore affected files to bring compromised endpoints back to a safer state. **Common signals:** - Multi-artifact infection - Configuration drift - Persistence created - User impact **Sample response trace:** - **Triage:** 189 affected files · 3 persistence keys - **Clean:** 4 files quarantined · 1 blocked - **Reverse:** Registry rolled back to 12:01:44 - **Recover:** 189 / 189 files restored - **Re-admit:** Endpoint safe · returned to VLAN ### 05. Suspicious process Terminate malicious or suspicious processes and investigate parent-child process relationships to understand how the activity started. **Common signals:** - Unusual parent-child relationship - High-privilege child - Rare process name - Off-hours activity **Sample response trace:** - **Trigger:** Suspicious parent: `explorer.exe → cmd.exe → curl` - **Action:** Terminate process tree (3 nodes) - **Inspect:** Curl target: `cdn-x.amzn[.]cc` - **RCA:** Phishing-link click at 11:58:12 - **Harden:** Block domain at gateway ## Malware remediation, recovery, and investigation — from one console. Instead of switching between separate tools for containment, cleanup, recovery, and investigation, your team responds from one place. ### One console for the whole incident: detect, contain, recover, investigate, harden. No tool-switching, no broken context, no separate license sprawl. The response stays connected from first alert to closing report. - Move beyond basic malware removal with full endpoint remediation - Stop active malware behavior in real time - Recover affected files and reduce downtime - Investigate root cause with attack chain visibility ### Contain before it spreads Isolate compromised endpoints before malware reaches shared drives, credentials, or other endpoints. ### Stop behavior, not just files Runtime monitoring catches scripts, fileless activity, and trusted-tool abuse. ### Recover, don't just respond Roll back affected files and reverse unwanted changes to cut downtime. ### Root cause, not just alerts Full attack chain and MITRE ATT&CK mapping turn every incident into a hardening insight. ## Common questions about malware remediation. ### What is malware remediation and recovery software? ![arrow](https://cdn.manageengine.com/sites/meweb/images/desktop-central/images/arrow.svg) Malware remediation and recovery software helps security teams respond after malware is detected. It can include endpoint isolation, malicious process termination, file quarantine, file restoration, rollback, root cause analysis, and automated response actions.